id,summary,reporter,owner,description,type,status,priority,milestone,component,version,severity,resolution,keywords,cc,branch,changelog,apichanges,internalchanges 11176,Fine-grained permission checks should be enforced on the Report list page,Ryan J Ollos ,,"If a user doesn't have permission to view a report because of the TracFineGrainedPermissions policy, then on the Report list page (`/report`): * The link should be inactive and have the ''forbidden'' styling. * The report description should not be shown. Here is an example of the desired behavior when the user only has permission to view reports 1 and 4. The ''anonymous'' group has been granted the coarse-grained `REPORT_VIEW`. The screenshots show the view that the ''anonymous'' user sees with the fix in place: {{{ #!ini [report:1] anonymous = REPORT_VIEW [report:4] anonymous = REPORT_VIEW [report:*] * = }}} [[Image(ReportList.png,100%)]] [[Image(ReportList2.png,100%)]] This ticket resulted from discussion in th:#11047 and th:#11049.",enhancement,new,normal,,general,1.0-stable,normal,,,,,,,