Flyspray - The bug killer!

  • Status Closed
  • Percent Complete
    100%
  • Task Type Bug Report
  • Category Backend/Core
  • Assigned To
    peterdd
  • Operating System All
  • Severity Medium
  • Priority Low
  • Reported Version 1.0-rc
  • Due in Version 1.0
  • Due Date Undecided
  • Votes
  • Private
Attached to Project: Flyspray - The bug killer!
Opened by peterdd - 19.04.2016
Last edited by peterdd - 01.08.2016

FS#2120 - anonymous task creation in restricted project not possible

with this general project settings for everyone (users and anon):

Project is active ('project_is_active'): yes
Allow anyone to view tasks of this project ('others_view'): no
Allow anyone to view roadmap of this project: no 
Allow anonymous users to open tasks: yes
  1. Project is not selectable from Project drop down list with this settings, but should.
  2. The can_view_project permission is currently a calculated value, currently using ‘others_view’ permission for guests.
  3. Review where can_view_project() permission is used to limit access.
  1. Evaluate if “Allow anonymous users to open tasks”- perm make can_view_project()-permission true is sufficient.
  2. Or just use the “Allow anonymous users to open tasks”- perm at the relevant places. (I tend to prefer this, because of very limited places.)
  1. TODO: Maybe move
Allow anyone to view tasks of this project: no
Allow anyone to view roadmap of this project: no 
Allow anonymous users to open tasks: yes

from ‘Preferences’ project settings tab to the ‘User Groups’ project settings tab. So everything permission related is at one place.

I think the problem is within index.php, put in with commit https://github.com/Flyspray/flyspray/commit/651f09801a35533205971cf322483a0e52ad0a1d

A anon user cannot pass behind this code lines:

// make sure people are not attempting to manually fiddle with projects they are not allowed to play with
if (Req::has('project') && Req::val('project') != 0 && !$user->can_view_project(Req::val('project'))) {
    Flyspray::show_error( L('nopermission') );
    exit;
}

But before just removing removing the “exit;” here, needs too review if anon users cannot trigger bad actions.

Closed by  peterdd
01.08.2016 16:25
Reason for closing:  Implemented in devel
Project Manager
peterdd commented on 22.04.2016 02:34

Made some work on github:
https://github.com/Flyspray/flyspray/commit/d85aae96bc6f104050a136cf13213824444cbf24

There is now a new calculated permission check function: can_select_project() . It is similiar to can_view_project(), but allows anon users to select the project if the project allows submitting of anon guest.

ps: 'Anon' is not quite right. It means just the guest user has no user account. But for submitting it requires entering an email address for feedback notifications.

Project Manager
peterdd commented on 26.07.2016 04:07

I think I solved it now.

$user→can_view_project(), $user→can_select_project(), ‘others_view’ and ‘others_viewroadmap’ project permissions are used also to decide if activity bars, stats, rss feed links, or links to certain tasks are shown on toplevel page for guests or users.

@Radek Svitil: Please check if the current github master https://github.com/Flyspray/flyspray now satisfies your requirements and give feedback.

Loading...

Available keyboard shortcuts

Tasklist

Task Details

Task Editing