Defect #37187

no-permission-check allows issue creation in closed/archived projects

Added by Felix Schäfer 2 months ago. Updated about 1 month ago.

Status:ClosedStart date:
Priority:NormalDue date:
Assignee:Marius BALTEANU% Done:

0%

Category:Email receiving
Target version:4.2.7
Resolution:Fixed Affected version:4.2.5

Description

Setting --no-permission-check in the mail receiver allows creating issues and probably other objects in closed and archived projects. This is probably not what this option is intended for.

37187.patch Magnifier (2.86 KB) Felix Schäfer, 2022-06-02 11:17

37187-different_errors.patch Magnifier (3.83 KB) Felix Schäfer, 2022-06-07 11:38

Associated revisions

Revision 21641
Added by Marius BALTEANU about 1 month ago

Setting --no-permission-check in the mail receiver should not allow creating issues in closed and archived projects (#37187).

Patch by Felix Schäfer.

Revision 21652
Added by Marius BALTEANU about 1 month ago

Merged r21641 to 5.0-stable (#37187).

Revision 21653
Added by Marius BALTEANU about 1 month ago

Merged r21641 to 4.2-stable (#37187).

History

#1 Updated by Felix Schäfer 2 months ago

We will work on a patch and submit it here.

#2 Updated by Felix Schäfer 2 months ago

The attached patch adds 2 tests demonstrating the problem when sending an email that would created a new issue. The patch also contains a proposed fix.

#3 Updated by Go MAEDA 2 months ago

  • Target version set to 4.2.7

Setting the target version to 4.2.7.

#4 Updated by Felix Schäfer 2 months ago

Thank you. We are currently working on another patch that would introduce a different Error class for this case. This would be useful for plugins that need to differentiate between "this is not possible in that project" and "this is not possible for this user".

Could you please hold back on applying this patch? Do you think having different Error classes for those 2 cases could be useful? We will propose another one shortly.

#5 Updated by Felix Schäfer 2 months ago

Please see the attached patch. It adds subclasses for UnauthorizedAction that allows backwards compatibility for code using UnauthorizedAction but still allows differentiating the error cases.

#6 Updated by Marius BALTEANU about 1 month ago

  • Status changed from New to Closed
  • Assignee set to Marius BALTEANU
  • Resolution set to Fixed

Felix, patch committed and merged to stable branches. Thanks for reporting and fixing the issue!

Also available in: Atom PDF