Defect #33689

Issues API bypasses add_issue_notes permission

Added by Mizuki ISHIKAWA about 1 month ago. Updated 3 days ago.

Status:ResolvedStart date:
Priority:NormalDue date:
Assignee:Go MAEDA% Done:

0%

Category:Issues
Target version:4.0.8
Resolution: Affected version:4.0.7

Description

Users without the add_issue_notes permission should not be able to add notes.
Users without the add_issue_notes permission should not be able to add notes.
However, you can actually add notes by using the API or by creating a textarea[name="issue[notes]"] with the developer tool and submitting it.
This can be reproduced with trunk.

Is this by design? Looks like a bug to me.

defect-33689-test.patch Magnifier (993 Bytes) Mizuki ISHIKAWA, 2020-07-14 10:32

fix-33689.patch Magnifier (2.45 KB) Junya Tomono, 2020-07-23 09:45

Associated revisions

Revision 19975
Added by Go MAEDA 3 days ago

Fix that Issues API bypasses add_issue_notes permission (#33689).

Patch by Junya Tomono and Mizuki ISHIKAWA.

History

#1 Updated by Mizuki ISHIKAWA about 1 month ago

Share a test to reproduce this issue.
This test should fail.

#2 Updated by Junya Tomono 22 days ago

I wrote a patch for this fix.

#3 Updated by Go MAEDA 19 days ago

  • Target version set to 4.1.2

LGTM. Setting the target version to 4.1.2.

#4 Updated by Go MAEDA 3 days ago

  • Target version changed from 4.1.2 to 4.0.8
  • Affected version changed from 4.1.1 to 4.0.7

#5 Updated by Go MAEDA 3 days ago

  • Subject changed from API can add issue notes even if the user does not have add_issue_notes permission to Issues API bypasses add_issue_notes permission
  • Status changed from New to Resolved
  • Assignee set to Go MAEDA

Committed the patch. Thank you for reporting and fixing the issue.

Also available in: Atom PDF