Bug

"private" task should not be shown in lists/ (deleted Wed Aug 5, 2009 12:53pm)

Summary

open
Nov 7, 2006
2 days ... 2 weeks
Nov 7, 2006 / binder
Mar 14, 2012 / guest
1.9
 

Attached files

No files uploaded
 
at present a task set to "private" is shown in projViewTasks; the taskView then shows an user error "invalid task-id", which is the second bug here! ;)

we have:
  • private task is shown to person, who isn't allowed to see the task at all
  • clicking on that task brings wrong error-message (on purpose?)

Issue report

Minor
Have not tried
streber
0.68
125
 

14 Comments

pixtur:good point...

9 years ago

Private messages should not be listed to anybody but the creator and users with User-right "RIGHT_VIEW_ALL" (This should be Admin only).

Can you provide some more information on, who (which which profile and Project memeberships), creates what where, which is visible for whom (which profile)?


binder:more information

9 years ago (2. update 9 years ago)

I (admin) opend a new project, added a task in there with "private" rights. Added another user (pm) to that project.

other users see the project (theres no private for projects - why not? *G*) and see the task in the list. Klicking on that private task leads to the error-message "invalid task-id"...

I wanted to setup this in http://www.pixtur.de/nod/ , but we lack users! ;)
Perhaps we could add user2-user5? ;)

pixtur:Can't reproduce

9 years ago

Hi Burger,

I spent some time playing around with those stuff, but I cannot reproduce this behavoir. I will work, if:
  • The current user (PM) has neither "RIGHT_VIEW_ALL" nor "RIGHT_EDIT_ALL" (which included RIGHT_VIEW_ALL)
  • The private task has not been created by the other persons.
I will create the new users to the demo installation.

This is really a serious issue and I am eager to remove any uncertanties about this.

binder:ok. please add the users on /nod ...

9 years ago

I will show you then. ;)

pixtur:done

9 years ago


binder:ok - now I see

9 years ago

we have some more user-rights for users. Cause we're working together, everybody is allowed to "see anything", concerning people/projects/tasks/...

I think, that's the problem here. A user (no admin) who is allowed to "see anything", is allowed to see the private taks, but cannot open it. In that case, the user shouldn't see private tasks, he is not related to at all.

pixtur:ahhh....

9 years ago

Well, "SEE ANYTHING" != "SEE ANYTHING NOT PRIVATE" :)

I think that restricting SEE_ANYTHING will lead to a counter intuitive solution. Maybe we should add another option "View open". But this will make right management alot more complex :(


binder:hmmm...

9 years ago

I still consider this a bug. Because, if the user would like to open the private item, he gets an error message. That's why I plead for "see anything but private, which I am not assigned to" ;) Perhaps the best solution?
ok. you could name the private item somehow "mystical", not to provide details for the non-assigned persons, but....

madlyr:Reply to hmmm... agree

9 years ago

I agree with binder.

Think like this: Do I have to be a political correct in private tasks names? ;-)))


binder:Antwort auf Reply to hmmm... agree

9 years ago

yupp. and what I forgot earlier => no more complex user right management! ;)

pixtur:hmmm...

9 years ago

This requires to adjust most of the SQL-queries.... Sick.

Do a search on "RIGHT_VIEWALL" over the project... 40 occurences...

I am uncertain. I mean... An admin should see anything. Otherwise you may not find or fix certain stuff. Why not add an profile option "RIGHT_VIEWOPEN". This would work like this:
  • if RIGHT_VIEWALL pub_level is not been checked
  • if RIGHT_VIEWOPEN pub_level of item will be compared with user's original item-access rights from his profile. So you could distinguish a "Developer" (seeing all open items of projects) from a "Manager" (seeing all items with level internal of all projects)



binder:Antwort auf hmmm...

9 years ago

yes, if you refer to admin, then I have no pain with this.
but, I think we are not the only company, which employees are allowed to "see anything". why should I only see the clients, I once worked in a project for? And what happens, if a client calls, which I aren't allowed to see; I have no chance to add a notice on him...
that's why, our users are allowed to "see anything".

But there are still some information in streber, which should be kept confidential to those assigned to it...

pixtur:You could turn on "view all persons"

8 years ago

I understand you request. But I currently don't know how to fix this without completely messing up the right model. Adding a new right RIGHT_VIEWOPEN would still require massive changes and refactoring to many parts of the source code:
  • most SQL-Requests
  • getVisibleById() functions
  • probably a lot of Page-Functions which check for visibility of items.

guest:Ihda

3 years ago - visible as suggested -

Overall a pttrey good effort and contains useful information for someone looking for a project management tool. Perhaps include a scaled down project and cite specific instances where TeamPulse could be put to great use. Thanks.