Edgewall Software

Opened 6 years ago

Last modified 4 years ago

#11176 closed enhancement

Fine-grained permission checks should be enforced on the Report list page — at Version 2

Reported by: Ryan J Ollos <ryan.j.ollos@…> Owned by:
Priority: normal Milestone: 1.0.2
Component: report system Version: 1.0-stable
Severity: normal Keywords: permissions authzpolicy report
Cc: Branch:
Release Notes:
API Changes:

Description (last modified by Ryan J Ollos <ryan.j.ollos@…>)

If a user doesn't have permission to view a report because of the TracFineGrainedPermissions policy, then on the Report list page (/report):

  • The link should be inactive and have the forbidden styling.
  • The report description should not be shown.

Here is an example of the desired behavior when the user only has permission to view reports 1 and 4. The anonymous group has been granted the coarse-grained REPORT_VIEW. The screenshots show the view that the anonymous user sees with the fix in place:

[report:1]
anonymous = REPORT_VIEW

[report:4]
anonymous = REPORT_VIEW

[report:*]
* =

This ticket resulted from discussion in th:#11047 and th:#11049.

Change History (4)

by Ryan J Ollos <ryan.j.ollos@…>, 6 years ago

Attachment: ReportList.png added

by Ryan J Ollos <ryan.j.ollos@…>, 6 years ago

Attachment: ReportList2.png added

comment:1 by Ryan J Ollos <ryan.j.ollos@…>, 6 years ago

Description: modified (diff)

comment:2 by Ryan J Ollos <ryan.j.ollos@…>, 6 years ago

Description: modified (diff)
Note: See TracTickets for help on using tickets.