Opened 11 years ago
Last modified 9 years ago
#11176 closed enhancement
Fine-grained permission checks should be enforced on the Report list page — at Version 2
| Reported by: | Owned by: | ||
|---|---|---|---|
| Priority: | normal | Milestone: | 1.0.2 |
| Component: | report system | Version: | 1.0-stable |
| Severity: | normal | Keywords: | permissions authzpolicy report |
| Cc: | Branch: | ||
| Release Notes: | |||
| API Changes: | |||
| Internal Changes: | |||
Description (last modified by )
If a user doesn't have permission to view a report because of the TracFineGrainedPermissions policy, then on the Report list page (/report):
- The link should be inactive and have the forbidden styling.
- The report description should not be shown.
Here is an example of the desired behavior when the user only has permission to view reports 1 and 4. The anonymous group has been granted the coarse-grained REPORT_VIEW. The screenshots show the view that the anonymous user sees with the fix in place:
[report:1] anonymous = REPORT_VIEW [report:4] anonymous = REPORT_VIEW [report:*] * =
This ticket resulted from discussion in th:#11047 and th:#11049.
Change History (4)
by , 11 years ago
| Attachment: | ReportList.png added |
|---|
by , 11 years ago
| Attachment: | ReportList2.png added |
|---|
comment:1 by , 11 years ago
| Description: | modified (diff) |
|---|
comment:2 by , 11 years ago
| Description: | modified (diff) |
|---|
Note:
See TracTickets
for help on using tickets.
