•  
      request #37194 Take into account trackers user rights in the new side bar
    Infos
    #37194
    Gabriel Bouvard (gabriel.bouvard)
    2024-03-07 14:13
    2024-03-06 22:54
    38805
    Details
    Take into account trackers user rights in the new side bar

    Promoted trackers are presents in the sidebar only if users can submit them. The tracker button in the sidebar (when promoted) could have been accessible to all authorized users of the tracker.

    Services such as Backlog or Kanban could not be presents in the sidebar when users do not have access to any managed trackers by thoses services.

    Agile Dashboard
    All
    Empty
    • [ ] enhancement
    • [ ] internal improvement
    Empty
    Stage
    Thomas Gerbet (tgerbet)
    Waiting for information
    Empty
    Attachments
    Empty
    References
    References list is empty

    Follow-ups

    User avatar

    I'm only talking about the sidebar menu. It's why I ad categorised that request to UX/UI. And my request doesn't content any security sensitive issue. My version is the 15.3-2 which wasn't in the list. As an administrator, if I promoted tracker A in the tracker global administration. This tracker A is promoted only to users who have submit right on it. The users who only have read rights doesn't have access to the promoted tracker with the promoted tracker A button. Concerning the services backlog and kanban, in my TULEAP version, if the service is activated then it is activate and present in the sidebar for everyone even if they cannot access to the managed trackers. It's not an issue but it's a piti for UX/UI that have theses functionalities on their sidebar to access to a window where there are informed that: "Nothing to see here. There is no Kanban created yet"

    User avatar
    • Original Submission
      Something went wrong, the follow up content couldn't be loaded
      Only formatting have been changed, you should switch to markup to see the changes
    User avatar
    Thomas Gerbet (tgerbet)2024-03-07 10:00

    Hello,

    In the future I encourage you to report security sensitive issues such as issues related to the handling of permissions in private. You can do that either via your usual Tuleap Enterprise support channels or by contacting the Tuleap Security Team as described on https://www.tuleap.org/security

    That being said I'm not able to reproduce the issue and reviewing the code permissions seem to be enforced as expected:

    • for the promoted kanban it is verified that the current user can access the underlying tracker
    • for the promoted milestones/sub-milestones it is verified that the current user can access the artifact and read each fields involved in the display of the items

    I might be missing something but the Tuleap permission model seems to be enforced as expected.

    Do you have a reproduction scenario of the issue and the version of Tuleap you are currently using?


    • Category changed from UX/UI to Agile Dashboard
    • Status changed from New to Waiting for information
    • Assigned to changed from None to Thomas Gerbet (tgerbet)
    • Platform cleared values: EL9 (RockyLinux|AlmaLinux|RHEL)