Add access checking in the default issue views?
sderrick - June 7, 2009 - 04:06
| Project: | Project issue tracking |
| Version: | 6.x-1.x-dev |
| Component: | Views integration |
| Category: | task |
| Priority: | normal |
| Assigned: | Unassigned |
| Status: | active |
Jump to:
Description
Just installed Project and Project Issue Tracker
I have set the permissions for both modules to be limited to the admin and editor roles.
However when I log in as an authenticated user, the menu items "Issues" & "My Projects" are displayed in the main navigation menu? If you click on the menu items you get the appropriate dialog with an empty list and a message "No issues match your criteria."
This seems like a bug but maybe there is some configuration setting I'm not aware of?
#1
The problem is that the default views that ship with the module do no access checking of their own. At the very least, they should probably honor the "access content" permission. Sadly, issue permissions are a bit of a tangled mess:
#317404: Add Project Permissions Functionality
#234463: Remove 'access own projects' permission
http://drupal.org/project/project_access
http://drupal.org/project/project_permissions
...
I'm not sure what the default views should do given all of this mess. We're moving away from the "access * issues" permissions, and those will probably be removed entirely before the 6.x-1.0 release. But, I'm not sure what the default views should do in that case...