Create Ticket
Warning Can't synchronize with repository "(default)" (/x1/svn/asf/bloodhound does not appear to be a Subversion repository.). Look in the Trac log for more information.

Reporter:
astaric  
Opened:
Type:
defect  
Status:
new  
Priority:
major  
Milestone:
Component:
Version:
 
Description

Global Dashboard currently displays widgets that display product data, but do not check product specific permissions. If user has TICKET_VIEW permission in global context, he can see unfiltered lists of products and product tickets.

The following steps can be used to reproduce the problems:
Create two products with some tickets (DEMO and MNP). Grant anonymous *_VIEW on global, but no product specific permissions.

With this setup, anonymous can access global Dashboard, where it sees
all the tickets and all the products. He cannot access product
specific dashboards (no PRODUCT_VIEW permission). Links to
products/tickets in the global dashboard also redirect to login.

If anonymous is grantet additional PRODUCT_VIEW permission for both products, he can access the dashboards, but ticket and timeline widgets crash (no TICKET_VIEW permissions).

trac:TracFineGrainedPermissions should also be included in permission check.

Cc:
 

Change History

rjollos

  • Milestone set to next 0.x
Note: See TracTickets for help on using tickets.

Activity

  

Warning   No events reported for defect: Apply permission checks to default Dashboard widgets (new) in the last 30 days since Jul 21, 2017. This may happen if system is not configured correctly. Please contact your administrator if you think this is the case.