Context Navigation

Modify ↓

#4292 reopened defect

ROADMAP_VIEW / MILESTONE_VIEW privilege

Reported by:	dave@…	Owned by:	jonas
Priority:	normal	Milestone:	next-major-releases
Component:	roadmap	Version:	0.10.2
Severity:	minor	Keywords:	needmajor
Cc:	dave@…
Release Notes:
API Changes:

Description

roadmap.py is checking for ROADMAP_VIEW, which will only work as long as one keeps the ROADMAP_VIEW permission for anonymous that's set up by db_default.py. Once you delete that, nobody without WIKI_ADMIN privileges can look at the roadmap, because you can create MILESTONE_VIEW privs to your hearts content but they'll be ignored.

Attachments (0)

Change History (5)

comment:1 Changed 6 years ago by mgood

Resolution set to worksforme
Status changed from new to closed

I assume you mean MILESTONE_ADMIN, not WIKI_ADMIN. The MILESTONE_VIEW permission works as documented, allowing a user to view individual milestones. The ROADMAP_VIEW permission is required to view the roadmap.

comment:2 Changed 6 years ago by David Abrahams <dave@…>

Cc dave@… added
Resolution worksforme deleted
Status changed from closed to reopened

No, I did not mean MILESTONE_ADMIN, I really meant WIKI_ADMIN. Ooooh, I see, ROADMAP_VIEW and MILESTONE_VIEW are distinct concepts. That's a bit confusing because I'm sure I saw it documented somewhere that all the MILESTONE_* privileges used to be called ROADMAP_*, so I assumed ROADMAP_VIEW was obsolete.

Well, all I can tell you is that I had MILESTONE_ADMIN set, and still could not view the roadmap page. Is that the expected behavior? If so, IMO it should be documented as such.

comment:3 Changed 6 years ago by cboos

The ROADMAP_VIEW could be replaced by MILESTONE_LIST.

(similar to the ATTACHMENT_LIST permission introduced in the source:sandbox/security branch)

comment:4 Changed 6 years ago by cboos

Milestone set to 0.12

comment:5 Changed 3 years ago by cboos

Component changed from general to roadmap
Keywords needmajor added
Severity changed from major to minor

See also #3022. We should eventually remove all ROADMAP_* permissions.

Add Comment

You may use WikiFormatting here.

Modify Ticket

Change Properties

Summary:
Description:	You may use WikiFormatting here. roadmap.py is checking for ROADMAP_VIEW, which will only work as long as one keeps the ROADMAP_VIEW permission for anonymous that's set up by db_default.py. Once you delete that, nobody without WIKI_ADMIN privileges can look at the roadmap, because you can create MILESTONE_VIEW privs to your hearts content but they'll be ignored.
Type:		Priority:
Milestone:		Component:
Version:		Severity:
Keywords:		Add/Remove from Cc:	<Author field>
Release Notes:
API Changes:

Action

leave as reopened The owner will remain jonas.

resolve as The resolution will be set. Next status will be 'closed'.

assign The owner will be changed from jonas to anonymous. Next status will be 'assigned'.

Author

Your email or username:

E-mail address and user name can be saved in the Preferences.

Attachments ↑ Description ↑

Note: See TracTickets for help on using tickets.

Download in other formats: