Defect #37187
closed
no-permission-check allows issue creation in closed/archived projects
0%
Description
Setting --no-permission-check in the mail receiver allows creating issues and probably other objects in closed and archived projects. This is probably not what this option is intended for.
Files
Updated by Felix Schäfer almost 2 years ago
We will work on a patch and submit it here.
Updated by Felix Schäfer almost 2 years ago
- File 37187.patch 37187.patch added
The attached patch adds 2 tests demonstrating the problem when sending an email that would created a new issue. The patch also contains a proposed fix.
Updated by Go MAEDA almost 2 years ago
- Target version set to 4.2.7
Setting the target version to 4.2.7.
Updated by Felix Schäfer almost 2 years ago
Thank you. We are currently working on another patch that would introduce a different Error class for this case. This would be useful for plugins that need to differentiate between "this is not possible in that project" and "this is not possible for this user".
Could you please hold back on applying this patch? Do you think having different Error classes for those 2 cases could be useful? We will propose another one shortly.
Updated by Felix Schäfer almost 2 years ago
Please see the attached patch. It adds subclasses for UnauthorizedAction that allows backwards compatibility for code using UnauthorizedAction but still allows differentiating the error cases.
Updated by Marius BĂLTEANU almost 2 years ago
- Status changed from New to Closed
- Assignee set to Marius BĂLTEANU
- Resolution set to Fixed
Felix, patch committed and merged to stable branches. Thanks for reporting and fixing the issue!