ROADMAP_VIEW / MILESTONE_VIEW privilege

[dave@…]

roadmap.py is checking for ROADMAP_VIEW, which will only work as long as one keeps the ROADMAP_VIEW permission for anonymous that's set up by db_default.py. Once you delete that, nobody without WIKI_ADMIN privileges can look at the roadmap, because you can create MILESTONE_VIEW privs to your hearts content but they'll be ignored.

[mgood]

I assume you mean MILESTONE_ADMIN, not WIKI_ADMIN. The MILESTONE_VIEW permission works as documented, allowing a user to view individual milestones. The ROADMAP_VIEW permission is required to view the roadmap.

[David Abrahams <dave@…>]

No, I did not mean MILESTONE_ADMIN, I really meant WIKI_ADMIN. Ooooh, I see, ROADMAP_VIEW and MILESTONE_VIEW are distinct concepts. That's a bit confusing because I'm sure I saw it documented somewhere that all the MILESTONE_* privileges used to be called ROADMAP_*, so I assumed ROADMAP_VIEW was obsolete.

Well, all I can tell you is that I had MILESTONE_ADMIN set, and still could not view the roadmap page. Is that the expected behavior? If so, IMO it should be documented as such.

[cboos]

The ROADMAP_VIEW could be replaced by MILESTONE_LIST.

(similar to the ATTACHMENT_LIST permission introduced in the source:sandbox/security branch)