Defect #13762

SCM auto status change bypassses roles and permissions

Added by Marcus Rejås about 4 years ago. Updated over 3 years ago.

Status:ConfirmedStart date:
Priority:NormalDue date:
Assignee:-% Done:

0%

Category:SCM
Target version:Candidate for next major release
Resolution: Affected version:

Description

Hi,

Encountered unexpected behavior yesterday when i accidentally added a Git archive cloned from another site (buildroot in this case) which contained a lot of commit-messages like

"Closes #1123" 

This ended up in a lot of actions like:

Updated by Anonymous about 9 hours ago

    Status changed from New to Resolved
    % Done changed from 0 to 100

Comment Edit

Applied in changeset alleatoautomationplatform:buildroot|commit:4f0361ab2ca4f25207c84b557e31319c9a417a76.

This was not only in the project the Repository is in but sitewide.

The user Anonymous have no permissions set.

This differs in two ways from my expected behavior:

1) The anonymous user should not be able to close issues.
2) A repo commit should only be able to modify issues in the same project as the repo.

This is an old installation that have gone through several upgrades. Unfortunately I don't have time to reproduce it in a clean environment but I thought it might be best reporting it anyway since it is security related.

Ruby version              1.9.3 (x86_64-linux)
RubyGems version          1.8.23
Rack version              1.4
Rails version             3.2.13
Active Record version     3.2.13
Action Pack version       3.2.13
Active Resource version   3.2.13
Action Mailer version     3.2.13
Active Support version    3.2.13
Middleware                Rack::Cache, ActionDispatch::Static, Rack::Lock, #<ActiveSupport::Cache::Strategy::LocalCache::Middleware:0x0000000289ede0>, Rack::Runtime, Rack::MethodOverride, ActionDispatch::RequestId, Rails::Rack::Logger, ActionDispatch::ShowExceptions, ActionDispatch::DebugExceptions, ActionDispatch::RemoteIp, ActionDispatch::Callbacks, ActiveRecord::ConnectionAdapters::ConnectionManagement, ActiveRecord::QueryCache, ActionDispatch::Cookies, ActionDispatch::Session::CookieStore, ActionDispatch::Flash, RedmineDmsf::NoParse, ActionDispatch::ParamsParser, ActionDispatch::Head, Rack::ConditionalGet, Rack::ETag, ActionDispatch::BestStandardsSupport, OpenIdAuthentication
Application root          /var/www/redmine-2.2
Environment               production
Database adapter          mysql2
Database schema version   20121026003537

Thanks in advance and thank you for a great product. We love it!

Marcus


Related issues

Related to Redmine - Feature #4823: Don't evaluate commit-message "refs, closes, ..." when ad... New 2010-02-12
Duplicated by Redmine - Defect #14276: Limit users than can reference and fix issues in commit m... Closed
Duplicated by Redmine - Defect #14826: Project permissions not respected in Fix/Reference commit Closed
Duplicated by Redmine - Feature #13792: Fixing via git push should not break workflow Closed

History

#1 Updated by Toshi MARUYAMA about 4 years ago

  • Category set to SCM

#2 Updated by Toshi MARUYAMA about 4 years ago

  • Status changed from New to Confirmed
  • Target version set to 2.3.1

#3 Updated by Toshi MARUYAMA about 4 years ago

  • Target version changed from 2.3.1 to 2.4.0

#4 Updated by Toshi MARUYAMA about 4 years ago

  • Subject changed from Repositories bypassses roles and pesmissions to SCM auto status change bypassses roles and pesmissions

#5 Updated by Etienne Massip about 4 years ago

I disagree with this one, Anonymous here is not the Redmine anonymous user but a developer which has commit access to the repository and which SCM identifier is not mapped to an actual Redmine user, this is far from being a lambda person but a member of the project.

This should not be touched IMHO.

#6 Updated by Marcus Rejås about 4 years ago

Etienne Massip wrote:

I disagree with this one, Anonymous here is not the Redmine anonymous user but a developer which has commit access to the repository and which SCM identifier is not mapped to an actual Redmine user, this is far from being a lambda person but a member of the project.

This should not be touched IMHO.

I understand but it might lead to security breaches. You say that the person is being member of the project, but really it is member of any project. So if a committer by accident or on purpose mistypes the issue-id or enters one belonging to an external ticket system he or she might change things in a project where he or she might not have access. The person who made the mistake will not then be alerted at all and have no way to correct the problem.

My solution is to add three configuratoin options to the repos.

[] Allow altering of tickets through commit messages
[] Allow system wide altering of tickets through commit messages
[] Allow Non-mapped users in the repo to alter tickets through commit messages

We track external repos in some projects and this led to some confusion (to say the least) ...

#7 Updated by Toshi MARUYAMA about 4 years ago

  • Related to Defect #14276: Limit users than can reference and fix issues in commit messages added

#8 Updated by Toshi MARUYAMA about 4 years ago

  • Related to deleted (Defect #14276: Limit users than can reference and fix issues in commit messages)

#9 Updated by Toshi MARUYAMA about 4 years ago

  • Duplicated by Defect #14276: Limit users than can reference and fix issues in commit messages added

#10 Updated by Etienne Massip almost 4 years ago

  • Subject changed from SCM auto status change bypassses roles and pesmissions to SCM auto status change bypassses roles and permissions

#11 Updated by Toshi MARUYAMA almost 4 years ago

  • Duplicated by Defect #14826: Project permissions not respected in Fix/Reference commit added

#12 Updated by Jean-Philippe Lang over 3 years ago

  • Target version changed from 2.4.0 to Candidate for next major release

The root problem should be fixed by r4823 which disables issue updates when importing old commits. The requested option "Allow system wide altering of tickets through commit messages" is also already available as "Allow issues of all the other projects to be referenced and fixed".

#13 Updated by Mischa The Evil over 3 years ago

Jean-Philippe Lang wrote:

The root problem should be fixed by r4823 [...]

FTR: it should read issue #4823 (and r12199).

#14 Updated by Toshi MARUYAMA over 3 years ago

  • Related to Feature #4823: Don't evaluate commit-message "refs, closes, ..." when adding a repository added

#15 Updated by Go MAEDA over 1 year ago

  • Duplicated by Feature #13792: Fixing via git push should not break workflow added

Also available in: Atom PDF