Fine-grained permission checks should be enforced on the Report list page
|Reported by:||Owned by:||Ryan J Ollos|
|Severity:||normal||Keywords:||permissions authzpolicy report|
Enforce fine-grained permission policies in the report module.
Description (last modified by )
If a user doesn't have permission to view a report because of the TracFineGrainedPermissions policy, then on the Report list page (
- The link should be inactive and have the forbidden styling.
- The report description should not be shown.
Here is an example of the desired behavior when the user only has permission to view reports 1 and 4. The anonymous group has been granted the coarse-grained
REPORT_VIEW. The screenshots show the view that the anonymous user sees with the fix in place:
[report:1] anonymous = REPORT_VIEW [report:4] anonymous = REPORT_VIEW [report:*] * =
Change History (42)
comment:4 Changed 6 years ago by
|Component:||general → report system|
|Keywords:||permissions authzpolicy report added|