Opened 18 years ago
Last modified 3 years ago
#4292 new defect
ROADMAP_VIEW / MILESTONE_VIEW privilege
Reported by: | Owned by: | ||
---|---|---|---|
Priority: | normal | Milestone: | next-major-releases |
Component: | roadmap | Version: | 0.10.2 |
Severity: | minor | Keywords: | needmajor |
Cc: | dave@…, Ryan J Ollos | Branch: | |
Release Notes: | |||
API Changes: | |||
Internal Changes: |
Description
roadmap.py is checking for ROADMAP_VIEW, which will only work as long as one keeps the ROADMAP_VIEW permission for anonymous that's set up by db_default.py. Once you delete that, nobody without WIKI_ADMIN privileges can look at the roadmap, because you can create MILESTONE_VIEW privs to your hearts content but they'll be ignored.
Attachments (0)
Change History (8)
comment:1 by , 18 years ago
Resolution: | → worksforme |
---|---|
Status: | new → closed |
comment:2 by , 18 years ago
Cc: | added |
---|---|
Resolution: | worksforme |
Status: | closed → reopened |
No, I did not mean MILESTONE_ADMIN, I really meant WIKI_ADMIN. Ooooh, I see, ROADMAP_VIEW and MILESTONE_VIEW are distinct concepts. That's a bit confusing because I'm sure I saw it documented somewhere that all the MILESTONE_* privileges used to be called ROADMAP_*, so I assumed ROADMAP_VIEW was obsolete.
Well, all I can tell you is that I had MILESTONE_ADMIN set, and still could not view the roadmap page. Is that the expected behavior? If so, IMO it should be documented as such.
comment:3 by , 18 years ago
The ROADMAP_VIEW could be replaced by MILESTONE_LIST.
(similar to the ATTACHMENT_LIST permission introduced in the source:sandbox/security branch)
comment:4 by , 18 years ago
Milestone: | → 0.12 |
---|
comment:5 by , 14 years ago
Component: | general → roadmap |
---|---|
Keywords: | needmajor added |
Severity: | major → minor |
See also #3022. We should eventually remove all ROADMAP_* permissions.
comment:6 by , 10 years ago
Cc: | added |
---|
comment:7 by , 10 years ago
The Roadmap doesn't present any information that the user wouldn't already have access to with MILESTONE_VIEW
. We could just use MILESTONE_VIEW
to determine whether the Roadmap navigation item is present. Fine-grain permission checks when listing the milestones in the /roadmap
view could determine which milestones are displayed.
In #1233, I'm considering to propose that Versions also be listed on the Roadmap. In that case, we could want the Roadmap navigation item to be present when the user has either MILESTONE_VIEW
or VERSION_VIEW
, and to perform fine-grained permission checks on each resource before displaying it in the /roadmap
view.
comment:8 by , 10 years ago
Owner: | removed |
---|---|
Status: | reopened → new |
I assume you mean
MILESTONE_ADMIN
, notWIKI_ADMIN
. TheMILESTONE_VIEW
permission works as documented, allowing a user to view individual milestones. TheROADMAP_VIEW
permission is required to view the roadmap.