"private" task should not be shown in lists/ (deleted Wed Aug 5, 2009 04:53pm)

Private messages should not be listed to anybody but the creator and users with User-right "RIGHT_VIEW_ALL" (This should be Admin only).

Can you provide some more information on, who (which which profile and Project memeberships), creates what where, which is visible for whom (which profile)?

I (admin) opend a new project, added a task in there with "private" rights. Added another user (pm) to that project.

other users see the project (theres no private for projects - why not? *G*) and see the task in the list. Klicking on that private task leads to the error-message "invalid task-id"...

I wanted to setup this in http://www.pixtur.de/nod/ , but we lack users! ;)
Perhaps we could add user2-user5? ;)

Hi Burger,

I spent some time playing around with those stuff, but I cannot reproduce this behavoir. I will work, if:

• The current user (PM) has neither "RIGHT_VIEW_ALL" nor "RIGHT_EDIT_ALL" (which included RIGHT_VIEW_ALL)
• The private task has not been created by the other persons.

I will create the new users to the demo installation.

This is really a serious issue and I am eager to remove any uncertanties about this.

I will show you then. ;)

we have some more user-rights for users. Cause we're working together, everybody is allowed to "see anything", concerning people/projects/tasks/...

I think, that's the problem here. A user (no admin) who is allowed to "see anything", is allowed to see the private taks, but cannot open it. In that case, the user shouldn't see private tasks, he is not related to at all.

Well, "SEE ANYTHING" != "SEE ANYTHING NOT PRIVATE" :)

I think that restricting SEE_ANYTHING will lead to a counter intuitive solution. Maybe we should add another option "View open". But this will make right management alot more complex :(

I still consider this a bug. Because, if the user would like to open the private item, he gets an error message. That's why I plead for "see anything but private, which I am not assigned to" ;) Perhaps the best solution?
ok. you could name the private item somehow "mystical", not to provide details for the non-assigned persons, but....

I agree with binder.

Think like this: Do I have to be a political correct in private tasks names? ;-)))

yupp. and what I forgot earlier => no more complex user right management! ;)

This requires to adjust most of the SQL-queries.... Sick.

Do a search on "RIGHT_VIEWALL" over the project... 40 occurences...

I am uncertain. I mean... An admin should see anything. Otherwise you may not find or fix certain stuff. Why not add an profile option "RIGHT_VIEWOPEN". This would work like this:

• if RIGHT_VIEWALL pub_level is not been checked
• if RIGHT_VIEWOPEN pub_level of item will be compared with user's original item-access rights from his profile. So you could distinguish a "Developer" (seeing all open items of projects) from a "Manager" (seeing all items with level internal of all projects)

yes, if you refer to admin, then I have no pain with this.
but, I think we are not the only company, which employees are allowed to "see anything". why should I only see the clients, I once worked in a project for? And what happens, if a client calls, which I aren't allowed to see; I have no chance to add a notice on him...
that's why, our users are allowed to "see anything".

But there are still some information in streber, which should be kept confidential to those assigned to it...

I understand you request. But I currently don't know how to fix this without completely messing up the right model. Adding a new right RIGHT_VIEWOPEN would still require massive changes and refactoring to many parts of the source code:

• most SQL-Requests
• getVisibleById() functions
• probably a lot of Page-Functions which check for visibility of items.

Overall a pttrey good effort and contains useful information for someone looking for a project management tool. Perhaps include a scaled down project and cite specific instances where TeamPulse could be put to great use. Thanks.