Ticket #4292 (reopened defect)
ROADMAP_VIEW / MILESTONE_VIEW privilege
| Reported by: | dave@… | Owned by: | jonas |
|---|---|---|---|
| Priority: | normal | Milestone: | next-major-0.1X |
| Component: | general | Version: | 0.10.2 |
| Severity: | major | Keywords: | |
| Cc: | dave@… |
Description
roadmap.py is checking for ROADMAP_VIEW, which will only work as long as one keeps the ROADMAP_VIEW permission for anonymous that's set up by db_default.py. Once you delete that, nobody without WIKI_ADMIN privileges can look at the roadmap, because you can create MILESTONE_VIEW privs to your hearts content but they'll be ignored.
Attachments
Change History
comment:1 Changed 4 years ago by mgood
- Status changed from new to closed
- Resolution set to worksforme
comment:2 Changed 4 years ago by David Abrahams <dave@…>
- Cc dave@… added
- Status changed from closed to reopened
- Resolution worksforme deleted
No, I did not mean MILESTONE_ADMIN, I really meant WIKI_ADMIN. Ooooh, I see, ROADMAP_VIEW and MILESTONE_VIEW are distinct concepts. That's a bit confusing because I'm sure I saw it documented somewhere that all the MILESTONE_* privileges used to be called ROADMAP_*, so I assumed ROADMAP_VIEW was obsolete.
Well, all I can tell you is that I had MILESTONE_ADMIN set, and still could not view the roadmap page. Is that the expected behavior? If so, IMO it should be documented as such.
comment:3 Changed 3 years ago by cboos
The ROADMAP_VIEW could be replaced by MILESTONE_LIST.
(similar to the ATTACHMENT_LIST permission introduced in the source:sandbox/security branch)
I assume you mean MILESTONE_ADMIN, not WIKI_ADMIN. The MILESTONE_VIEW permission works as documented, allowing a user to view individual milestones. The ROADMAP_VIEW permission is required to view the roadmap.