On Tue, Jun 18, 2013 at 5:02 AM, Anze Staric <[email protected]> wrote:
> While working on integration od FineGrainedPermissions into bhsearch, > I have discovered that Dashboard does not always use permissions the > way it should. > > My test setup is the following: > user anonymous has *_VIEW on global, but no product specific > permissions. There are two products DEMO and MNP. > > With this setup, anonymous can access global Dashboard, where it sees > all the tickets and all the products. He cannot access product > specific dashboards (no PRODUCT_VIEW permission). Links to > products/tickets in the global dashboard also redirect to login. > > If I add PRODUCT_VIEW permission for both products, anonymous can > access the dashboards, but ticket and timeline widgets crash (no > TICKET_VIEW permissions). > > FineGrainedPermissions are also not taken into the account. > > Should we do something abou this now or should we leave it for 0.7? We should at least have a ticket for this, and we discussed earlier this week that we would mention it in Known Issues for the Release Notes. Could you create a ticket? I would do that, but I don't have time to verify at the moment, and I'd just end up copying your email to a ticket; which could be entirely adequate anyway, but maybe you'll have more to add.
