From Bugzilla Helper: User-Agent: Mozilla/5.0 Galeon/1.2.9 (X11; Linux i686; U;) Gecko/20030314 Description of problem: The Tasks List query retrieves all items that are in a workflow state to which the user is assigned, however, it does not apply any permissions filters to the resulting set of items. Thus if an item is in a private folder then the user is unable to action the item in their task list. This is a severe problem as people attempt to de-centralize the CMS authoring & approval processes to all members of their organisation, since a given workflow may have hundreds of users assigned to each step, but each person only has permissions to act on items in a small number of folders. Thus the task list may have hundreds of entries of which only 10-20 are relating to items on which the user has permission. Version-Release number of selected component (if applicable): How reproducible: Always Steps to Reproduce: 1. Create two users 2. Assign both users to the Authoring phase of the production workflow 3. Create two folders. 4. Remove all default permissions from these two folders. 5. Give one user to edit privilege on one folder, the other user edit on the other folder 6. Have each user create an item in their respective folder 7. Go to the task list Actual Results: Both users can see items from both folders, even though they each only have permission on one folder. Expected Results: The user can only see items on which they have permission. Additional info: I cannot understate the importance of this problem - it is holding up the deployment of CMS for several APLAWS customers.
If you need the fix ASAP, you will need to do it yourself and supply us the patch for merge. Otherwise, we will get to it as soon as we can. -> Private because of customer facing information that should not be public in this ticket.
mbooth: do you have a patch for this?
fixed, along with a few other things, on 5.2 (39243), dev (39234), 6.0 (39263)
QA_READY has been deprecated in favor of ON_QA. Please use ON_QA in the future. Moving to ON_QA.
Closing old tickets