- Status Closed
- Percent Complete
- Task Type Bug Report
- Category Backend/Core
- Assigned To No-one
- Operating System All
- Severity High
- Priority High
- Reported Version 1.0-beta
- Due in Version Undecided
-
Due Date
Undecided
- Votes
- Private
FS#2086 - Basic User can see all Projects and Tasks
Since Update to Flyspray 1.0 Beta2 all users can see every task in every project.
The rights were set up correctly in Flyspray 1.0 Alpha and worked just fine.
Loading...
Available keyboard shortcuts
- Alt + ⇧ Shift + l Login Dialog / Logout
- Alt + ⇧ Shift + a Add new task
- Alt + ⇧ Shift + m My searches
- Alt + ⇧ Shift + t focus taskid search
Tasklist
- o open selected task
- j move cursor down
- k move cursor up
Task Details
- n Next task
- p Previous task
- Alt + ⇧ Shift + e ↵ Enter Edit this task
- Alt + ⇧ Shift + w watch task
- Alt + ⇧ Shift + y Close Task
Task Editing
- Alt + ⇧ Shift + s save task
Could you please provide (censored if you want)
screenshots of
And maybe php versions, db version (but I think thats not the problem)
Server PHP Version: 5.4.45
MySQL client API: 5.0.10
Attached are some screens.
Rights look fine – imho!?!? – and worked well in alpha.
The screen of the overview shows the overview/toplevel of a user that is in the mentioned global usergroups "basic" and member of the customer user group in the projekt "flyspray".
but he can see all projects and also can view all tasks of every project. projects are correctly set ("Allow anyone to view tasks of this project" is UNchecked)
Maybe this commit?
https://github.com/Flyspray/flyspray/commit/8e499691bb8d008ed5bdb4c7cf7c5d9154e8fbc4
Need to dig in what view_groups_task, view_own_tasks exactly means to the perm system.
It seems there are some perms set on index.php?do=admin&area=editgroup&id=4
but not visible on the perm overview pages. (view_groups_tasks, view_own_tasks)
Reverting the changes from this commit
https://github.com/Flyspray/flyspray/commit/8e499691bb8d008ed5bdb4c7cf7c5d9154e8fbc4 indeed helps.
Didn't test very properly but first glance looks good.
I added now 2 missing permission settings to the group views to github master. (global and projects)
So probably your global basic group had view_groups_tasks and view_own_tasks set?
Does it solve your problem if you drop this 2 permissions from basic group?
TODO:
Master fixes the overview and the lists.
I unchecked "view_groups_tasks":
But in the project selector dropdown there still are all projects available for every user
Unchecking "view_own_tasks" fixes that too – thanks (I don't dig into that, but it works!)
Thanks.
Can we have a link to help docs for this. It's incredibly confusing. I cannot set up a user with this scenario:
Can only see projects that they are assigned to / or assigned to tasks within that project
I can only get on of two scenarios working:
See ALL projects
or
See NO projects
Spent ages trying to understand how it works without any joy
It seems the simplest way to do this is set a global user group with permissions 'allow login in' and leave everything else unchecked then assign user to that global group, then set the up another group on a project basis say for example 'client' if you want to allow clients to view tasks and make comments you can add permission to the project group view tasks, view comments, add comments, edit own comments, add the user to that that group within the project ... That seems to do the trick