Edgewall Software
Modify

Opened 10 years ago

Last modified 16 months ago

#4292 new defect

ROADMAP_VIEW / MILESTONE_VIEW privilege

Reported by: dave@… Owned by:
Priority: normal Milestone: next-major-releases
Component: roadmap Version: 0.10.2
Severity: minor Keywords: needmajor
Cc: dave@…, Ryan J Ollos
Release Notes:
API Changes:

Description

roadmap.py is checking for ROADMAP_VIEW, which will only work as long as one keeps the ROADMAP_VIEW permission for anonymous that's set up by db_default.py. Once you delete that, nobody without WIKI_ADMIN privileges can look at the roadmap, because you can create MILESTONE_VIEW privs to your hearts content but they'll be ignored.

Attachments (0)

Change History (8)

comment:1 Changed 10 years ago by Matthew Good

Resolution: worksforme
Status: newclosed

I assume you mean MILESTONE_ADMIN, not WIKI_ADMIN. The MILESTONE_VIEW permission works as documented, allowing a user to view individual milestones. The ROADMAP_VIEW permission is required to view the roadmap.

comment:2 Changed 10 years ago by David Abrahams <dave@…>

Cc: dave@… added
Resolution: worksforme
Status: closedreopened

No, I did not mean MILESTONE_ADMIN, I really meant WIKI_ADMIN. Ooooh, I see, ROADMAP_VIEW and MILESTONE_VIEW are distinct concepts. That's a bit confusing because I'm sure I saw it documented somewhere that all the MILESTONE_* privileges used to be called ROADMAP_*, so I assumed ROADMAP_VIEW was obsolete.

Well, all I can tell you is that I had MILESTONE_ADMIN set, and still could not view the roadmap page. Is that the expected behavior? If so, IMO it should be documented as such.

comment:3 Changed 10 years ago by Christian Boos

The ROADMAP_VIEW could be replaced by MILESTONE_LIST.

(similar to the ATTACHMENT_LIST permission introduced in the source:sandbox/security branch)

comment:4 Changed 10 years ago by Christian Boos

Milestone: 0.12

comment:5 Changed 6 years ago by Christian Boos

Component: generalroadmap
Keywords: needmajor added
Severity: majorminor

See also #3022. We should eventually remove all ROADMAP_* permissions.

comment:6 Changed 2 years ago by Ryan J Ollos

Cc: Ryan J Ollos added

comment:7 Changed 2 years ago by Ryan J Ollos

The Roadmap doesn't present any information that the user wouldn't already have access to with MILESTONE_VIEW. We could just use MILESTONE_VIEW to determine whether the Roadmap navigation item is present. Fine-grain permission checks when listing the milestones in the /roadmap view could determine which milestones are displayed.

In #1233, I'm considering to propose that Versions also be listed on the Roadmap. In that case, we could want the Roadmap navigation item to be present when the user has either MILESTONE_VIEW or VERSION_VIEW, and to perform fine-grained permission checks on each resource before displaying it in the /roadmap view.

Last edited 2 years ago by Ryan J Ollos (previous) (diff)

comment:8 Changed 16 months ago by Ryan J Ollos

Owner: Jonas Borgström deleted
Status: reopenednew

Modify Ticket

Change Properties
Set your email in Preferences
Action
as new The ticket will remain with no owner.
The ticket will be disowned. Next status will be 'new'.
as The resolution will be set. Next status will be 'closed'.
The owner will be changed from (none) to anonymous. Next status will be 'assigned'.

Add Comment


E-mail address and name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.