Bug 104488 - Tasks List does not filter by permissions
Summary: Tasks List does not filter by permissions
Alias: None
Product: Red Hat Enterprise CMS
Classification: Retired
Component: ui   
(Show other bugs)
Version: 5.2
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: ccm-bugs-list
QA Contact: Jon Orris
Depends On:
TreeView+ depends on / blocked
Reported: 2003-09-16 10:39 UTC by Daniel Berrange
Modified: 2007-04-18 16:57 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2006-09-02 17:43:19 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

Description Daniel Berrange 2003-09-16 10:39:55 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 Galeon/1.2.9 (X11; Linux i686; U;) Gecko/20030314

Description of problem:
The Tasks List query retrieves all items that are in a workflow state to which
the user is assigned, however, it does not apply any permissions filters to the
resulting set of items. Thus if an item is in a private folder then the user is
unable to action the item in their task list.

This is a severe problem as people attempt to de-centralize the CMS authoring &
approval processes to all members of their organisation, since a given workflow
may have hundreds of users assigned to each step, but each person only has
permissions to act on items in a small number of folders. Thus the task list may
have hundreds of entries of which only 10-20 are relating to items on which the
user has permission.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Create two users
2. Assign both users to the Authoring phase of the production workflow
3. Create two folders.
4. Remove all default permissions from these two folders.
5. Give one user to edit privilege on one folder, the other user edit on the
other folder
6. Have each user create an item in their respective folder
7. Go to the task list

Actual Results:  Both users can see items  from both folders, even though they
each only have permission on one folder.

Expected Results:  The user can only see items on which they have permission.

Additional info:

I cannot understate the importance of this problem - it is holding up the
deployment of CMS for several APLAWS customers.

Comment 1 Richard Li 2003-09-16 12:01:58 UTC
If you need the fix ASAP, you will need to do it yourself and supply us the
patch for merge. Otherwise, we will get to it as soon as we can.

-> Private because of customer facing information that should not be public in
this ticket.

Comment 2 Richard Li 2003-10-29 15:41:23 UTC
mbooth: do you have a patch for this?

Comment 3 Archit Shah 2004-01-09 21:14:46 UTC
fixed, along with a few other things, on 5.2 (39243), dev (39234), 6.0

Comment 4 David Lawrence 2006-07-18 03:05:38 UTC
QA_READY has been deprecated in favor of ON_QA. Please use ON_QA in the future.
Moving to ON_QA.

Comment 5 Daniel Berrange 2006-09-02 17:43:19 UTC
Closing old tickets

Note You need to log in before you can comment on or make changes to this bug.