Content
View differences
Updated by Parimal Satyal about 1 year ago
### Steps to reproduce
1. Be a non admin user
2. Have two projects
1. "Project read only": The user is member in here but does not have the "Manage work package relations" permission
2. "Project writable": The user is member with the permission "Manage work package relations" permission
3. Have two work packages one in each project
1. "Work package read only"
2. "Work package writable"
4. Go to the writable ticket "Work package writable"
5. Go to the relations tab and open the modal to create a new "Blocks" permission (Also possible for other relations)
6. Insert "Work package read only"
7. Click "Add"
### What is the buggy behavior?
* The relation is created.
### What is the expected behavior?
* We enfore symmetry; Creating the relationship should not be possible as the user needs write lacks permission on both one of the work packages in order to be able to create the relation. packages.
* Relations with read-only permissions are still visible in Ideally, the results. However, selecting one throw an in-line error below the field with text:
* "The selected read only work package is read-only and cannot should not be added suggested as a relation."
work package to create a relation to.
### Screenshots and other files
<img class="op-uc-image op-uc-image_inline" src="/api/v3/attachments/314824/content">
### Technical notes
This is possible because the `relations/base_contract.rb` only checks the `model.from` work package for the permission.
1. Be a non admin user
2. Have two projects
1. "Project read only": The user is member in here but does not have the "Manage work package relations" permission
2. "Project writable": The user is member with the permission "Manage work package relations" permission
3. Have two work packages one in each project
1. "Work package read only"
2. "Work package writable"
4. Go to the writable ticket "Work package writable"
5. Go to the relations tab and open the modal to create a new "Blocks" permission (Also possible for other relations)
6. Insert "Work package read only"
7. Click "Add"
### What is the buggy behavior?
* The relation is created.
### What is the expected behavior?
* We enfore symmetry;
* Relations with read-only permissions are still visible in
* "The selected
<img class="op-uc-image op-uc-image_inline" src="/api/v3/attachments/314824/content">
### Technical notes
This is possible because the `relations/base_contract.rb` only checks the `model.from` work package for the permission.