As far as I can tell, ticket data for global dashboard is provided by ProductQuery, which executes sql queries using db_direct_query. This returns results from all products, and aplies no additional security filters.
I do not see a quick fix that would solve this as applying any security filtering after the query was executed would mess up the paging functionality (empty pages, if no tickets on that specific page are viewable). On Tue, Jun 18, 2013 at 2:22 PM, Matevž Bradač <[email protected]> wrote: > > On 18. Jun, 2013, at 14:02, Anze Staric wrote: > >> While working on integration od FineGrainedPermissions into bhsearch, >> I have discovered that Dashboard does not always use permissions the >> way it should. >> >> My test setup is the following: >> user anonymous has *_VIEW on global, but no product specific >> permissions. There are two products DEMO and MNP. >> >> With this setup, anonymous can access global Dashboard, where it sees >> all the tickets and all the products. He cannot access product >> specific dashboards (no PRODUCT_VIEW permission). Links to >> products/tickets in the global dashboard also redirect to login. >> >> If I add PRODUCT_VIEW permission for both products, anonymous can >> access the dashboards, but ticket and timeline widgets crash (no >> TICKET_VIEW permissions). >> >> FineGrainedPermissions are also not taken into the account. >> >> Should we do something abou this now or should we leave it for 0.7? > > If it's a quick fix (i.e. no major side-effects) I think it should > be fixed for the 0.6 release. > > -- > matevz > >> >> >> Anze >
