Closed Bug 108312 Opened 22 years ago Closed 22 years ago

Mid air collision page may not show all updates

Categories

(Bugzilla :: Creating/Changing Bugs, defect, P1)

Product:
Bugzilla
Component:
Creating/Changing Bugs
Version:
2.15
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
Bugzilla 2.16

People

(Reporter: jacob, Assigned: jacob)

References

Details

Attachments

(1 file)

use $::FORM{'delta_ts'} to determine where to start showing the changes.
1.11 KB, patch
luis
: review+
myk
: review+
Details | Diff | Splinter Review 
When a midair collision happens, it only shows the last change made to a bug,
not all changes that happened since you loaded the page.

To reproduce:
1. Load a bug (#3 for example)
2. Load the same bug in a different window.
3. Make a change (any field)
4. Click the "Back to bug" link
5. Make another change (still in the different window).
6. Return to the original window and make a change.
7. You'll get a mid-air collision, but only of the things you changed the
   second time.
8. Choose to submit your changes anyway.  It will overright both changes,
   even though it only showed you one on the Mid Air screen.

Patch forthcoming.
-> Me
Assignee: myk → jake
Status: NEW → ASSIGNED
Target Milestone: --- → Bugzilla 2.16
Er... I remember there was a security bug where you could hack the delta_ts in
the form to 0, and then get a midair on a security bug and it would show you all
of the comments in that bug even if you couldn't see the bug itself. Would
relying on the value from the form re-introduce that?

Gerv
not as long as we're making sure they can see the bug first before we go
checking if they've collided with it.
blocks a blocker so it's a blocker
Blocks: 73502
Severity: normal → blocker
Priority: -- → P1
Do we check that they have permissions? If not, that has to be fixed first.
so is anyone going to look and find out instead of continuing to ask that
question over and over?
OK, I did some testing on bugzilla.mozilla.org with bug 108385, which is
restricted to the security group.

Test 1:

1) Logged in as justdave@syndicomm.com, which can see that bug.
2) Saved a copy of the page as an HTML file on my local drive.
3) Logged out.
4) Logged back in as bzbot@landfill.tequilarista.org, which doesn't have access
to that bug.
5) Edited the form action in the HTML to use a full URL instead of relative.
6) Loaded the HTML page, typed in a comment, and hit Commit.

Results: I was presented with a box informing me that I didn't have access to
that bug.

Test 2:

1) Logged back in as justdave@syndicomm.com.
2) Added a comment to bug 108385 (which updated the delta_ts)
3) Logged in as bzbot@landfill.tequilarista.org
4) Loaded the previously saved HTML file (which still has the old delta_ts in it)
5) Added a comment and clicked Commit (should get a midair this time because the
delta_ts has changed)

Results: I was presented with a box informing me that I didn't have access to
that bug.


Conclusion:  Permission to access the bug is indeed checked before a midair
collission is checked for.
Comment on attachment 56372 [details] [diff] [review]
use $::FORM{'delta_ts'} to determine where to start showing the changes.

r=louie
Looks good here.
Attachment #56372 - Flags: review+
Comment on attachment 56372 [details] [diff] [review]
use $::FORM{'delta_ts'} to determine where to start showing the changes.

Works, looks good. r=myk
Attachment #56372 - Flags: review+
Checking in CGI.pl;
/cvsroot/mozilla/webtools/bugzilla/CGI.pl,v  <--  CGI.pl
new revision: 1.124; previous revision: 1.123
done
Checking in process_bug.cgi;
/cvsroot/mozilla/webtools/bugzilla/process_bug.cgi,v  <--  process_bug.cgi
new revision: 1.109; previous revision: 1.108
done
[
Status: ASSIGNED → RESOLVED
Closed: 22 years ago
Resolution: --- → FIXED
QA Contact: matty_is_a_geek → default-qa
You need to log in before you can comment on or make changes to this bug.