This page requires java-script to be enabled. Please adjust your browser-settings.
streber
PM
Login
|
Register
guest
Home
Your Tasks
Bookmarks
Efforts
Overall history
P
rojects
streber
People
Companies
S
earch:
streber
>
Tasks
|
Docu
|
Milestones
|
Versions
|
Files
|
History
Help
login & rights
> Bug
"private" task should not be shown in lists
/
#2880
Move
Bookmark
Summary
Status
open
Opened
Nov 7, 2006
Estimated
2 days ... 2 weeks
Created
Nov 7, 2006
/
binder
Modified
Dec 10, 2006
/
pixtur
View previous 11 versions
Logged effort
1.9
Attached files
Attached files
No files uploaded
at present a task set to "private" is shown in projViewTasks; the taskView then shows an user error "invalid task-id", which is the second bug here! ;)
we have:
private task is shown to person, who isn't allowed to see the task at all
clicking on that task brings wrong error-message (on purpose?)
Issue report
Issue report
Severity
Minor
Reproducibility
Have not tried
Plattform
streber
Version
0.68
Build
125
13 Comments
13 Comments
pixtur
Nov 8, 2006
good point...
Private messages should not be listed to anybody but the creator and users with User-right "RIGHT_VIEW_ALL" (This should be Admin only).
Can you provide some more information on,
who
(which which profile and Project memeberships), creates
what
where, which is
visible for whom
(which profile)?
binder
Nov 8, 2006
version 2
more information
I (admin) opend a new project, added a task in there with "private" rights. Added another user (pm) to that project.
other users see the project (theres no
private for projects
- why not? *G*) and see the task in the list. Klicking on that private task leads to the error-message "invalid task-id"...
I wanted to setup this in
www.pixtur.de/nod/
, but we lack users! ;)
Perhaps we could add user2-user5? ;)
pixtur
Nov 11, 2006
Can't reproduce
Hi Burger,
I spent some time playing around with those stuff, but I cannot reproduce this behavoir. I will work, if:
The current user (PM) has neither "RIGHT_VIEW_ALL" nor "RIGHT_EDIT_ALL" (which included RIGHT_VIEW_ALL)
The private task has not been created by the other persons.
I will create the new users to the demo installation.
This is really a serious issue and I am eager to remove any uncertanties about this.
binder
Nov 13, 2006
ok. please add the users on /nod ...
I will show you then. ;)
pixtur
Nov 14, 2006
done
binder
Nov 14, 2006
ok - now I see
we have some more user-rights for users. Cause we're working together, everybody is allowed to "see anything", concerning people/projects/tasks/...
I think, that's the problem here. A user (no admin) who is allowed to "see anything", is allowed to see the private taks, but cannot open it. In that case, the user shouldn't see private tasks, he is not related to at all.
pixtur
Nov 14, 2006
ahhh....
Well, "SEE ANYTHING" != "SEE ANYTHING NOT PRIVATE" :)
I think that restricting SEE_ANYTHING will lead to a counter intuitive solution. Maybe we should add another option "View open". But this will make right management alot more complex :(
binder
Nov 15, 2006
hmmm...
I still consider this a bug. Because, if the user would like to open the private item, he gets an error message. That's why I plead for "see anything but private, which I am not assigned to" ;) Perhaps the best solution?
ok. you could name the private item somehow "mystical", not to provide details for the non-assigned persons, but....
madlyr
Nov 15, 2006
Reply to hmmm... agree
I agree with binder.
Think like this: Do I have to be a political correct in private tasks names? ;-)))
binder
Nov 15, 2006
Antwort auf Reply to hmmm... agree
yupp. and what I forgot earlier => no more complex user right management! ;)
pixtur
Nov 16, 2006
hmmm...
This requires to adjust most of the SQL-queries.... Sick.
Do a search on "RIGHT_VIEWALL" over the project... 40 occurences...
I am uncertain. I mean... An admin should see anything. Otherwise you may not find or fix certain stuff. Why not add an profile option "RIGHT_VIEWOPEN". This would work like this:
if RIGHT_VIEWALL pub_level is not been checked
if RIGHT_VIEWOPEN pub_level of item will be compared with user's original item-access rights from his profile. So you could distinguish a "Developer" (seeing all open items of projects) from a "Manager" (seeing all items with level internal of all projects)
binder
Nov 17, 2006
Antwort auf hmmm...
yes, if you refer to admin, then I have no pain with this.
but, I think we are not the only company, which employees are allowed to "see anything". why should I only see the clients, I once worked in a project for? And what happens, if a client calls, which I aren't allowed to see; I have no chance to add a notice on him...
that's why, our users are allowed to "see anything".
But there are still some information in streber, which should be kept confidential to those assigned to it...
pixtur
Dec 10, 2006
You could turn on "view all persons"
I understand you request. But I currently don't know how to fix this without completely messing up the right model. Adding a new right
RIGHT_VIEWOPEN
would still require massive changes and refactoring to many parts of the source code:
most SQL-Requests
getVisibleById() functions
probably a lot of Page-Functions which check for visibility of items.
Mark as bookmark
Comment / Update
Add comment
Update
Comment
Details
(
Wiki format
)
Please copy the text