Flyspray - The bug killer!

  • Status Unconfirmed
  • Percent Complete
    20%
  • Task Type Bug Report
  • Category Backend/Core
  • Assigned To No-one
  • Operating System All
  • Severity High
  • Priority High
  • Reported Version 1.0-beta
  • Due in Version Undecided
  • Due Date Undecided
  • Votes
  • Private
Attached to Project: Flyspray - The bug killer!
Opened by Joe Kolade - 03.11.2015

FS#2086 - Basic User can see all Projects and Tasks

Since Update to Flyspray 1.0 Beta2 all users can see every task in every project.

The rights were set up correctly in Flyspray 1.0 Alpha and worked just fine.

Admin
peterdd commented on 03.11.2015 10:13

Could you please provide (censored if you want)
screenshots of

  • global permissions: index.php?do=admin&area=groups
  • and of a project: for instance index.php?do=pm&area=groups&project=1
  • index.php?do=admin&area=editgroup&id=4 ('Basic' by Flyspay install)

And maybe php versions, db version (but I think thats not the problem)

Joe Kolade commented on 03.11.2015 10:29

Server PHP Version: 5.4.45
MySQL client API: 5.0.10

Attached are some screens.
Rights look fine – imho!?!? – and worked well in alpha.

The screen of the overview shows the overview/toplevel of a user that is in the mentioned global usergroups "basic" and member of the customer user group in the projekt "flyspray".
but he can see all projects and also can view all tasks of every project. projects are correctly set ("Allow anyone to view tasks of this project" is UNchecked)

Admin
peterdd commented on 03.11.2015 10:48

Maybe this commit?
https://github.com/Flyspray/flyspray/commit/8e499691bb8d008ed5bdb4c7cf7c5d9154e8fbc4

Need to dig in what view_groups_task, view_own_tasks exactly means to the perm system.

It seems there are some perms set on index.php?do=admin&area=editgroup&id=4
but not visible on the perm overview pages. (view_groups_tasks, view_own_tasks)

Joe Kolade commented on 03.11.2015 11:40

Reverting the changes from this commit
https://github.com/Flyspray/flyspray/commit/8e499691bb8d008ed5bdb4c7cf7c5d9154e8fbc4 indeed helps.

Didn't test very properly but first glance looks good.

Admin
peterdd commented on 03.11.2015 17:55

I added now 2 missing permission settings to the group views to github master. (global and projects)

So probably your global basic group had view_groups_tasks and view_own_tasks set?
Does it solve your problem if you drop this 2 permissions from basic group?

TODO:

  • make overruling permission logic more visible and documentation/tooltips(view_tasks overrules view_groups_tasks and view_own_tasks regardless of setting of view_groups_tasks and view_own_task)
Joe Kolade commented on 04.11.2015 08:04

Master fixes the overview and the lists.

I unchecked "view_groups_tasks":
But in the project selector dropdown there still are all projects available for every user

Unchecking "view_own_tasks" fixes that too – thanks (I don't dig into that, but it works!)

Thanks.

Paul commented on 26.01.2017 15:02

Can we have a link to help docs for this. It's incredibly confusing. I cannot set up a user with this scenario:

Can only see projects that they are assigned to / or assigned to tasks within that project

I can only get on of two scenarios working:

See ALL projects

or

See NO projects

Spent ages trying to understand how it works without any joy

Paul commented on 26.01.2017 17:03

It seems the simplest way to do this is set a global user group with permissions 'allow login in' and leave everything else unchecked then assign user to that global group, then set the up another group on a project basis say for example 'client' if you want to allow clients to view tasks and make comments you can add permission to the project group view tasks, view comments, add comments, edit own comments, add the user to that that group within the project ... That seems to do the trick

Loading...

Available keyboard shortcuts

Tasklist

Task Details

Task Editing