View Issue Details

IDProjectCategoryView StatusLast Update
0023979mantisbtadministrationpublic2020-12-16 02:30
Reportercproensa Assigned To 
PrioritynormalSeverityminorReproducibilityhave not tried
Status newResolutionopen 
Product Version2.12.0 
Summary0023979: User with "project_user_threshold" can't access to manage project page
Description

For example:
project_user_threshold = MANAGER
manage_project_threshold = ADMINISTRATOR

Currently, a user with manager access level in a project can't access the project edit pages to manage users for that project.
I expect the page to be accessible, but only the relevant part (manage users) being editable, according to permissions.
Otherwise, "project_user_threshold" seems to be of little use.

A use case is:
A user who is manager for a private project, should be able to add and remove users in that project
But can't edit main project properties: names, enabled status, or make it public.

Additionally, we could consider:
The user that can manage users in a project, should not be able to add or remove user with higher access level than him.

TagsNo tags attached.

Activities

cproensa

cproensa

2018-02-15 09:31

developer   ~0058879

Is there a specific threshold for users to manage versions inside a project?
Seems like that capability would have the same issues, if you want a limited user access level to be able to create versions, but not modify other properties in the project.

dregad

dregad

2018-02-15 16:22

developer   ~0058885

Currently, a user with manager access level in a project can't access the project edit pages to manage users for that project.

Sounds like a bug. I vaguely recall hitting this issue in my previous company, but never got around to investigating or attempting to fix it.

I expect the page to be accessible, but only the relevant part (manage users) being editable, according to permissions.

I agree.

The user that can manage users in a project, should not be able to add or remove user with higher access level than him.

That makes sense, but we need to be careful with the global vs project-specific access - which one to consider in this scenario ?

Is there a specific threshold for users to manage versions inside a project?

I don't think so

cproensa

cproensa

2018-02-15 16:34

developer   ~0058887

That makes sense, but we need to be careful with the global vs project-specific access - which one to consider in this scenario ?

I think specific project level should always override global access level, for those actions that are related to that project. This is especially applicable to private projects.

atrol

atrol

2018-02-15 16:44

developer   ~0058888

I think specific project level should always override global access level,

unless you are a global administrator

At least this is what we have at the moment in function access_get_project_level

    if( ALL_PROJECTS == $p_project_id || user_is_administrator( $p_user_id ) ) {
        return $t_global_access_level;
cproensa

cproensa

2018-02-15 17:06

developer   ~0058889

unless you are a global administrator

right

Marnix

Marnix

2018-04-05 03:00

reporter   ~0059436

Had also 'issues' with this feature.
In my opinion authorisation should separated like this;

  • separate threshold to be able to add, change, password reset and inactivate users
    • users with higher privileges never show
  • separate threshold to be able to delete users, same as above but then including delete option (admin)
    • users with higher privileges never show
  • separate threshold to be able to add new users, and only able to connect them with her/his project ("project_user_threshold")
    • and only sees the users (same and lower in rights) connected to his/her project
    • able to change the users rights for that particular project (only for users lower than his rights)
    • able to disconnect users from his/her project (or able to set rights to '0' for that user for that project)
    • not able to delete users
    • users with higher privileges never show
elizabethbrown

elizabethbrown

2020-12-14 10:38

reporter   ~0064794

Last edited: 2020-12-16 02:30

Sorry, I faced this access problem.
Please let us know when it will be fixed. Thank you

EDIT (dregad): below is the contents of the PDF that was originally attached to this note

for example:

project_user_threshold = MANAGER
manage_project_threshold = ADMINISTRATOR

Currently, a user with manager access level in a project can't access the project edit pages to manage users for that project.
I expect the page to be accessible, but only the relevant part (manage users) being editable, according to permissions.
Otherwise, "project_user_threshold" seems to be of little use.

A use case is:
A user who is manager for a private project, should be able to add and remove users in that project
But can't edit main project properties: names, enabled status, or make it public.

Additionally, we could consider:
The user that can manage users in a project, should not be able to add or remove user with higher access level than him.