Permission of guest user

How to make a guest user can ONLY create issue without allowing them to modify other guest's issue?
It's a common situation: We enabled guest account as reporter (in Youtrack Cloud) to get external user's issue, But they can modify other's issue (reported by other guest). Also, they can change their issue's status, which should changed by developer only. What should I do?
8 comments
Comment actions Permalink
Hello WeloveAyaka,

By default all users are included in All users group. That group has an Observer role by default (Read Issue/Comment). To allow guest users create and read only own issues, you need to add Reporter role to All users group.
No extra roles shouldn't be assigned to All users group.
Other users that have to have more permissions (Developer permissions, Admin permissions), need to be added to other special groups, with more additional roles (Developer, Admin etc.)

Thank you.
0
Comment actions Permalink
Thank you for your reply, but I am worried about someone modify other guest's issues maliciously .
0
Comment actions Permalink
WeloveAyaka,

Correct if I'm wrong, you are worried about that someone from your users (with Developer role permissions or similar) will change guest's issues? From that point of view, everyone (with advanced permissions) is able to modify everybody's issues.
If this could help you, I can suggest following solution:
create a custom Workflow, that won't allow editing issues from the guest users, before a perticular private field is not set. This private field will be visible to only users with permission 'Update private fields'. For example, this permission will be enabled for the group of Leads. In fact, this workflow will restrict modification of an issue for common developers and allow this modifications to only whom it may concern.

Thank you.
0
Comment actions Permalink
i'm worried that a guest can change other guest's issue. A guest user can modify other guests' issue. A malicious guests can clean all of the issues's content.
0
Comment actions Permalink
WeloveAyaka,

As I've said in my first reply, Reporter role includes permissions to create issues and view (only) not own issues. Only own issues can be edited by user with a Reporter permissions.
0
Comment actions Permalink
yes. a guest who has Reporter role can't view/modify developers' issue. but all guest users are treated as a same user. so, a guest can modify other guests' issue.
please log into http://kanata.myjetbrains.com/youtrack/issues as a guest, you can modify other guests issues.
0
Comment actions Permalink
WeloveAyaka,

Please take a look at the workflow. I believe, it'll solve your request:
rule newIssueState 

when issue.becomesReported() { 
 issue.issueState = {Issue}; 
}


rule checkIssueState 

when !issue.becomesReported() { 
 if (loggedInUser.isInGroup("Guest")) { 
   assert issue.issueState == {Draft}: "You have no permissions to edit issue"; 
    
 } 
}
prettyPrint();

Configuruation:
Create a group for a guest user (e.g. Guest). Add guest user to this group
Configure custom role with particular permissions you wish (e.g.Create issue, Create comment, Read issue, Read comment)
Add this role to guest user, as User Own Role
In your project, create a private custom field 'issueState' with the bundle of values: Issue and Draft

For each issue created by the guest user issueState == Issue . Guest user won't able to edit an issue.
Developer will be able to set this field to issueState == Draft . After that guest user will be able to modify issue. This is useful when developer needs to ask some clarification questions, in this he set field to Draft to allow guest to modify issue, add comments etc.
Please note, during issue creation (in case several guest users create issues at a time), drafts will be overwritten by each other, as all of them is the one user.

Thank you.
0
Comment actions Permalink
It works. Thank you!
0

Please sign in to leave a comment.