Bug OP-8439: Adding users to projects while not owning right to manage users

View differences

Updated by Wieland Lindenthal about 5 years ago

### **Environment**:

OP 11.2 ~~Your OpenProject Version: <VERSION> / Cloud Edition~~

~~Operating System / Browser / OpenProject language:~~

### **Logs**

Are there errors in the browser console? ([Click here for information on how to open your browser's console](https://webmasters.stackexchange.com/a/77337)) For a local installation: Are there relevant logs output by `openproject logs` (packaged installation) or in a log/production.log or /var/log/openproject/ ? Please attach error output in these log files if applicable

### **Steps to reproduce:**

1. Create a non-admin user "Leaker" with the global permission Go to create and edit users ~~page X~~
2. Make that user a normal member of a project "A", without the right to manager members of that project ~~Click on button Y~~
3. Login as that user.
4. Go to administration > Users,
5. Chose to edit some other user. Go to projects tab. ~~Select Foo~~

### **Actual Behavior**

* in ~~Describe~~ the projects drop down on the right you see project "A" although you should not be able to manage memberships of that project.
* you can now add that other user with any role to that project "A" ~~behavior you're seeing.~~

### **Expected Behavior**

* you should not be able to see and select project "A" in that drop down
* The backend should not accept adding ~~Describe~~ the member to project "A". ~~expected behavior.~~

Back

Content

View differences