- Status Closed
- Percent Complete
- Task Type Bug Report
- Category Backend/Core
-
Assigned To
peterdd - Operating System All
- Severity Medium
- Priority Low
- Reported Version 1.0-rc
- Due in Version 1.0
-
Due Date
Undecided
- Votes
- Private
Attached to Project: Flyspray - The bug killer!
Opened by peterdd - 19.04.2016
Last edited by peterdd - 01.08.2016
Opened by peterdd - 19.04.2016
Last edited by peterdd - 01.08.2016
FS#2120 - anonymous task creation in restricted project not possible
with this general project settings for everyone (users and anon):
Project is active ('project_is_active'): yes
Allow anyone to view tasks of this project ('others_view'): no
Allow anyone to view roadmap of this project: no
Allow anonymous users to open tasks: yes
- Project is not selectable from Project drop down list with this settings, but should.
- The can_view_project permission is currently a calculated value, currently using ‘others_view’ permission for guests.
- Review where can_view_project() permission is used to limit access.
- Evaluate if “Allow anonymous users to open tasks”- perm make can_view_project()-permission true is sufficient.
- Or just use the “Allow anonymous users to open tasks”- perm at the relevant places. (I tend to prefer this, because of very limited places.)
- TODO: update documentation http://www.flyspray.org/manual/project-management/
- TODO: Maybe move
Allow anyone to view tasks of this project: no Allow anyone to view roadmap of this project: no Allow anonymous users to open tasks: yes
from ‘Preferences’ project settings tab to the ‘User Groups’ project settings tab. So everything permission related is at one place.
I think the problem is within index.php, put in with commit https://github.com/Flyspray/flyspray/commit/651f09801a35533205971cf322483a0e52ad0a1d
A anon user cannot pass behind this code lines:
// make sure people are not attempting to manually fiddle with projects they are not allowed to play with
if (Req::has('project') && Req::val('project') != 0 && !$user->can_view_project(Req::val('project'))) {
Flyspray::show_error( L('nopermission') );
exit;
}
But before just removing removing the “exit;” here, needs too review if anon users cannot trigger bad actions.
Made some work on github:
https://github.com/Flyspray/flyspray/commit/d85aae96bc6f104050a136cf13213824444cbf24
There is now a new calculated permission check function: can_select_project() . It is similiar to can_view_project(), but allows anon users to select the project if the project allows submitting of anon guest.
ps: 'Anon' is not quite right. It means just the guest user has no user account. But for submitting it requires entering an email address for feedback notifications.
I think I solved it now.
$user→can_view_project(), $user→can_select_project(), ‘others_view’ and ‘others_viewroadmap’ project permissions are used also to decide if activity bars, stats, rss feed links, or links to certain tasks are shown on toplevel page for guests or users.
@Radek Svitil: Please check if the current github master https://github.com/Flyspray/flyspray now satisfies your requirements and give feedback.
https://groups.google.com/forum/#!topic/flyspray/UZXlpLx-mCk
https://groups.google.com/forum/#!topic/flyspray/Uq26PpNekDo