Defect #37187
no-permission-check allows issue creation in closed/archived projects
Status: | Closed | Start date: | ||
---|---|---|---|---|
Priority: | Normal | Due date: | ||
Assignee: | % Done: | 0% | ||
Category: | Email receiving | |||
Target version: | 4.2.7 | |||
Resolution: | Fixed | Affected version: | 4.2.5 |
Description
Setting --no-permission-check
in the mail receiver allows creating issues and probably other objects in closed and archived projects. This is probably not what this option is intended for.
Associated revisions
Setting --no-permission-check
in the mail receiver should not allow creating issues in closed and archived projects (#37187).
Patch by Felix Schäfer.
History
#1
Updated by Felix Schäfer 8 months ago
We will work on a patch and submit it here.
#2
Updated by Felix Schäfer 8 months ago
- File 37187.patch
added
The attached patch adds 2 tests demonstrating the problem when sending an email that would created a new issue. The patch also contains a proposed fix.
#4
Updated by Felix Schäfer 8 months ago
Thank you. We are currently working on another patch that would introduce a different Error
class for this case. This would be useful for plugins that need to differentiate between "this is not possible in that project" and "this is not possible for this user".
Could you please hold back on applying this patch? Do you think having different Error
classes for those 2 cases could be useful? We will propose another one shortly.
#5
Updated by Felix Schäfer 8 months ago
- File 37187-different_errors.patch
added
Please see the attached patch. It adds subclasses for UnauthorizedAction
that allows backwards compatibility for code using UnauthorizedAction
but still allows differentiating the error cases.
#6
Updated by Marius BALTEANU 8 months ago
- Status changed from New to Closed
- Assignee set to Marius BALTEANU
- Resolution set to Fixed
Felix, patch committed and merged to stable branches. Thanks for reporting and fixing the issue!