• Status Closed
  • Percent Complete
  • Task Type Bug Report
  • Category Backend/Core
  • Assigned To No-one
  • Operating System All
  • Severity High
  • Priority High
  • Reported Version 1.0-beta
  • Due in Version Undecided
  • Due Date Undecided
  • Votes
  • Private
Attached to Project: Flyspray
Opened by joekolade - 03.11.2015
Last edited by peterdd - 05.05.2021

FS#2086 - Basic User can see all Projects and Tasks

Since Update to Flyspray 1.0 Beta2 all users can see every task in every project.

The rights were set up correctly in Flyspray 1.0 Alpha and worked just fine.

Closed by  peterdd
05.05.2021 22:35
Reason for closing:  Complete

Could you please provide (censored if you want)
screenshots of

  • global permissions: index.php?do=admin&area=groups
  • and of a project: for instance index.php?do=pm&area=groups&project=1
  • index.php?do=admin&area=editgroup&id=4 ('Basic' by Flyspay install)

And maybe php versions, db version (but I think thats not the problem)

Server PHP Version: 5.4.45
MySQL client API: 5.0.10

Attached are some screens.
Rights look fine – imho!?!? – and worked well in alpha.

The screen of the overview shows the overview/toplevel of a user that is in the mentioned global usergroups "basic" and member of the customer user group in the projekt "flyspray".
but he can see all projects and also can view all tasks of every project. projects are correctly set ("Allow anyone to view tasks of this project" is UNchecked)


Maybe this commit?

Need to dig in what view_groups_task, view_own_tasks exactly means to the perm system.

It seems there are some perms set on index.php?do=admin&area=editgroup&id=4
but not visible on the perm overview pages. (view_groups_tasks, view_own_tasks)

Reverting the changes from this commit indeed helps.

Didn't test very properly but first glance looks good.


I added now 2 missing permission settings to the group views to github master. (global and projects)

So probably your global basic group had view_groups_tasks and view_own_tasks set?
Does it solve your problem if you drop this 2 permissions from basic group?


  • make overruling permission logic more visible and documentation/tooltips(view_tasks overrules view_groups_tasks and view_own_tasks regardless of setting of view_groups_tasks and view_own_task)

Master fixes the overview and the lists.

I unchecked "view_groups_tasks":
But in the project selector dropdown there still are all projects available for every user

Unchecking "view_own_tasks" fixes that too – thanks (I don't dig into that, but it works!)


Can we have a link to help docs for this. It's incredibly confusing. I cannot set up a user with this scenario:

Can only see projects that they are assigned to / or assigned to tasks within that project

I can only get on of two scenarios working:

See ALL projects


See NO projects

Spent ages trying to understand how it works without any joy

It seems the simplest way to do this is set a global user group with permissions 'allow login in' and leave everything else unchecked then assign user to that global group, then set the up another group on a project basis say for example 'client' if you want to allow clients to view tasks and make comments you can add permission to the project group view tasks, view comments, add comments, edit own comments, add the user to that that group within the project ... That seems to do the trick


Available keyboard shortcuts


Task Details

Task Editing