Hi all,

i have a problem that i could not see covered by a post in the forum, so here we go.

We have a list of projects for a company, each of them has a list of tasks. We have a freelancer working on one of the projects, and i set him up with permissions to the company and only this project.

When i logged on with his user, logically, I saw only the one project, with the tasks hidden (as i haven't given him task permissions yet).

The trouble now is, how do i allow him to only view the tasks WITHIN this one project, without giving him explicit permission to each and every single task? If I give him Task access (All Tasks , allow view and edit), the tasks are shown inside his project as they should, but using the task detail view he can click on "task lists" and switch to other task display lists, which allow him not only to see tasks that are not part of his project, but also they are grouped by the project names he should have never seen in the first place - for example the "tasks by user" list.

Even more confusing, if i remove the editing capabilites from the task permissions in the role (All Tasks, Allow view), the "tasks by user" view gives a permission error -- which is what i wanted. However, this will also prevent the user from creating task logs.

One way or the other, I cannot find how to make this work, anyone has a clue for me?

Cheers
Emanuel

i am just re-reading my post from yesterday, and think its a bit confusing. So to re-cap, the question would be:

Is it possible to give a user permissions to access, view and edit *all* the descendants of a certain project (Tasks, Task logs etc), without specifying each individual task within the project in the permission list of the user?

thanks for any clues,
Emanuel

PS: i offer a bottle of fine german beer including shipping to the one who manages to resolve the problem :-)

The simple answer is yes. If you set open access to the tasks/task logs etc, but restrict access to just the one project, then the permissions will work as you expect. I.e. If the user doesn't have access to a project, they don't have access to the tasks/logs, etc within that project, even if they have full permissions on tasks and/or task logs generally.

Hi - and thanks for the answer.

if what you are saying is correct, i guess i found a bug in the permission system.

As a desired test result, I want to use the index.php?m=tasks&a=tasksperuser page. If that page shows me more than the tasks in the project i gave the user access to, something is wrong.

1) the following works ("tasks by users" page gives permission error message as desired)

Role configured as follows:
Company -> All companies - Allow - Access, View
Project -> All Projects - Allow - Access
Tasks -> All Tasks - Allow - Access, View
Task Logs -> All Task Logs - Allow - Access, View, Edit, Add

User permissions:
Project -> Project A - Allow - Access, View

This is almost behaving as i want it to - the user only sees Project A, and the task lists only show his tasks, "tasks by users" page gives permission error. But since the user cannot create task logs (when creating a new one, you cannot submit it to the system), i tried the following:

2)

Changed in Role:
Tasks -> All Tasks - Allow - Access, View, Edit

The results are interesting, and not very logical to me.

- the user still only sees his project in the projects view (as expected)
- task list ( index.php?m=tasks ) shows only tasks for the Project A (as expected)
- tasks by user no longer shows a permission error, and allows to see all tasks by all projects.

Is this a bug? If not, how would i allow a user to create task logs in this use case?

Thanks for your time, i really appreciate your help!
Emanuel

On the Role description you have above, change the Project permission to Deny All.

Then only that project should show up anywhere.

Hi,

thanks for this - however, this does not solve the problem. Restriction of the project works already, and your fix also works (with the exception of the "Projects" header no longer showing).

However, the real problem persists. If the user clicks on "Tasks", and then "Tasks by User", he gets to see ALL the tasks instead of the ones that are part of his project.

Is this a bug in the "Tasks by User" View?

thanks for all the help so far,
Emanuel

...and its propably noteworthy to point out that all other task views work fine, as expected -- they only show the tasks for the single project the user has access to. I do suspect something about the settings lookup is different in the "Tasks per User" view.

thanks for all the help
Emanuel

I agree that this is just a small part of the system, but when considering dP as a tool for customer/subcontractor communication there should be no part that reveals all the information.

I ended up with the same problem. What I wanted to do is to give a user access only to a certain project (he must not see anything from other projects). However, it seems that "Tasks per user" lists all the tasks in the whole system regardless of the project.

Another way to access tasks or other "parts" of other projects is to mofidy URL's id.

Hi,

I just thought I would add that I have the same issue. It seems like the "Tasks by user" does not take into account all permissions.

It still shows all projects even though you can stop them from going any further they still see the task.

It looks as if this may be a bug.

Any ideas on this one as far as moding the code would be greatly appreciated. Even removing the "Tasks by user" would be a temporary solutions.

Regards,

Mark.
Adelaide I.T Solutions

it seems that I do not have the same problems. when I click on task by users from one of my employee's view, it says access denied.

I have the following for permissions:

For Role Permission,

Non-Admin Modules = access/view
Projects = denied view
Tasks = add
Tasks logs = add edit
Projects = edit

Individual account persmission:

Project "specified project" = Access/Edit/View

Then everything seems to work fine. Perhaps I am misreading you guys' inquiries?

I figured out you guys' problems. Remove this line:

Tasks -> All Tasks - Allow - Access, View.

and change it to following:

Tasks -> All Tasks - Access

Try that, I think it'll work.

basically don't allow "view" on tasks as general role permission and that will allow you to have only user-specified view on tasks by giving user-specified permission on projects.

It looks like this is as close as we may get for now. htemorp, you are spot on with the permissions you mentioned and it does show "access denied" when the user goes to Tasks by User, however,

I think what most would like is the ability for the employee or client to be able to edit the existing tasks. As soon as a permission is included to enable this, they can then click on "Tasks bu users" and see everything.

I have just duplicated what you suggested and it is spot on except thet cannot edit the existing tasks.

I will keep playing around if others can as well... Hopefully we can nut this one out.

Mark.

I think that it isn't as big of deal, because you can always add new task or use task log to update. I don't think it's a good idea to be able to edit tasks for users that we're all trying to restrict.

Hi,

I understand this however when I was testing it, I created a new task and then could not get back to it to edit the task. In other words, the client or employee can create a task themselves but then cannot edit it.

Looks like Chris - Esolutions has posted this that I think I will go with to solve this one.

http://www.dotproject.net/vbulletin/showthread.php?t=3622&goto=newpost

Many thanks guys... I really appreciate the assistance via this forum,

Mark.

I think it's imperfect myself as well. For example, when a user creates a project, he or she cannot view his/her own project unless I give permission, because I am trying to limit the project on per-project basis.

To elaborate and perhaps finding a possible solution:

Role permission (type listed have 'allow' status unless otherwise noted)

Projects = Access; denied view

User permission

Project A = Access/View/Edit/Add

But what's the point of "add" when user creates 'Project B' but he/she cannot view it unless admin goes in to give permission?

What seems to work for me is:

"project restricted" Role:

Non-Admin Modules - Allow: All
Contacts - Deny: All
Projects - Deny: All
Companies - Deny: All


permisissions to individual user:

Company - XYZ company
Project - XYZ company

After I read this I did the same thing: http://caseysoftware.com/dotproject-permissions

Btu I updated it to create a role for each company. So i have something like your project restricted role and then a "employee of company xyz" role. When you combine the two, it works!

Its way easier to manage roles then individual user's permissions.

great idea, I'll have to try it

Did that work?

Haven't tried your way as yet, I am pretty satisfied with what I have now except contact list shows contacts from all so I turned that off for project restricted role. Its OK for now.

Haven't tried your way as yet, I am pretty satisfied with what I have now except contact list was showing contacts from all projects so I turned that off for project restricted role. Its OK for now.

Doing something similar which works...thanks