Flyspray - The bug killer!

  • Status Closed
  • Percent Complete
    100%
  • Task Type Bug Report
  • Category Backend/Core
  • Assigned To
    peterdd
  • Operating System All
  • Severity Medium
  • Priority Low
  • Reported Version 1.0-rc
  • Due in Version 1.0
  • Due Date Undecided
  • Votes
  • Private
Attached to Project: Flyspray - The bug killer!
Opened by peterdd - 19.04.2016
Last edited by peterdd - 01.08.2016

FS#2120 - anonymous task creation in restricted project not possible

with this general project settings for everyone (users and anon):

Project is active ('project_is_active'): yes
Allow anyone to view tasks of this project ('others_view'): no
Allow anyone to view roadmap of this project: no 
Allow anonymous users to open tasks: yes
  1. Project is not selectable from Project drop down list with this settings, but should.
  2. The can_view_project permission is currently a calculated value, currently using ‘others_view’ permission for guests.
  3. Review where can_view_project() permission is used to limit access.
  1. Evaluate if “Allow anonymous users to open tasks”- perm make can_view_project()-permission true is sufficient.
  2. Or just use the “Allow anonymous users to open tasks”- perm at the relevant places. (I tend to prefer this, because of very limited places.)
  1. TODO: Maybe move
Allow anyone to view tasks of this project: no
Allow anyone to view roadmap of this project: no 
Allow anonymous users to open tasks: yes

from ‘Preferences’ project settings tab to the ‘User Groups’ project settings tab. So everything permission related is at one place.

I think the problem is within index.php, put in with commit https://github.com/Flyspray/flyspray/commit/651f09801a35533205971cf322483a0e52ad0a1d

A anon user cannot pass behind this code lines:

// make sure people are not attempting to manually fiddle with projects they are not allowed to play with
if (Req::has('project') && Req::val('project') != 0 && !$user->can_view_project(Req::val('project'))) {
    Flyspray::show_error( L('nopermission') );
    exit;
}

But before just removing removing the “exit;” here, needs too review if anon users cannot trigger bad actions.

Closed by  peterdd
01.08.2016 16:25
Reason for closing:  Implemented in devel
Project Manager

Made some work on github:
https://github.com/Flyspray/flyspray/commit/d85aae96bc6f104050a136cf13213824444cbf24

There is now a new calculated permission check function: can_select_project() . It is similiar to can_view_project(), but allows anon users to select the project if the project allows submitting of anon guest.

ps: 'Anon' is not quite right. It means just the guest user has no user account. But for submitting it requires entering an email address for feedback notifications.

Project Manager

I think I solved it now.

$user→can_view_project(), $user→can_select_project(), ‘others_view’ and ‘others_viewroadmap’ project permissions are used also to decide if activity bars, stats, rss feed links, or links to certain tasks are shown on toplevel page for guests or users.

@Radek Svitil: Please check if the current github master https://github.com/Flyspray/flyspray now satisfies your requirements and give feedback.

Loading...

Available keyboard shortcuts

Tasklist

Task Details

Task Editing