Edgewall Software
Modify

Opened 14 years ago

Last modified 6 years ago

#4292 new defect

ROADMAP_VIEW / MILESTONE_VIEW privilege

Reported by: dave@… Owned by:
Priority: normal Milestone: next-major-releases
Component: roadmap Version: 0.10.2
Severity: minor Keywords: needmajor
Cc: dave@…, Ryan J Ollos Branch:
Release Notes:
API Changes:
Internal Changes:

Description

roadmap.py is checking for ROADMAP_VIEW, which will only work as long as one keeps the ROADMAP_VIEW permission for anonymous that's set up by db_default.py. Once you delete that, nobody without WIKI_ADMIN privileges can look at the roadmap, because you can create MILESTONE_VIEW privs to your hearts content but they'll be ignored.

Attachments (0)

Change History (8)

comment:1 by Matthew Good, 14 years ago

Resolution: worksforme
Status: newclosed

I assume you mean MILESTONE_ADMIN, not WIKI_ADMIN. The MILESTONE_VIEW permission works as documented, allowing a user to view individual milestones. The ROADMAP_VIEW permission is required to view the roadmap.

comment:2 by David Abrahams <dave@…>, 14 years ago

Cc: dave@… added
Resolution: worksforme
Status: closedreopened

No, I did not mean MILESTONE_ADMIN, I really meant WIKI_ADMIN. Ooooh, I see, ROADMAP_VIEW and MILESTONE_VIEW are distinct concepts. That's a bit confusing because I'm sure I saw it documented somewhere that all the MILESTONE_* privileges used to be called ROADMAP_*, so I assumed ROADMAP_VIEW was obsolete.

Well, all I can tell you is that I had MILESTONE_ADMIN set, and still could not view the roadmap page. Is that the expected behavior? If so, IMO it should be documented as such.

comment:3 by Christian Boos, 14 years ago

The ROADMAP_VIEW could be replaced by MILESTONE_LIST.

(similar to the ATTACHMENT_LIST permission introduced in the source:sandbox/security branch)

comment:4 by Christian Boos, 14 years ago

Milestone: 0.12

comment:5 by Christian Boos, 11 years ago

Component: generalroadmap
Keywords: needmajor added
Severity: majorminor

See also #3022. We should eventually remove all ROADMAP_* permissions.

comment:6 by Ryan J Ollos, 7 years ago

Cc: Ryan J Ollos added

comment:7 by Ryan J Ollos, 7 years ago

The Roadmap doesn't present any information that the user wouldn't already have access to with MILESTONE_VIEW. We could just use MILESTONE_VIEW to determine whether the Roadmap navigation item is present. Fine-grain permission checks when listing the milestones in the /roadmap view could determine which milestones are displayed.

In #1233, I'm considering to propose that Versions also be listed on the Roadmap. In that case, we could want the Roadmap navigation item to be present when the user has either MILESTONE_VIEW or VERSION_VIEW, and to perform fine-grained permission checks on each resource before displaying it in the /roadmap view.

Last edited 7 years ago by Ryan J Ollos (previous) (diff)

comment:8 by Ryan J Ollos, 6 years ago

Owner: Jonas Borgström removed
Status: reopenednew

Modify Ticket

Change Properties
Set your email in Preferences
Action
as new The ticket will remain with no owner.
The ticket will be disowned.
as The resolution will be set. Next status will be 'closed'.
The owner will be changed from (none) to anonymous. Next status will be 'assigned'.

Add Comment


E-mail address and name can be saved in the Preferences .
 
Note: See TracTickets for help on using tickets.