Closed
Bug 181797
Opened 22 years ago
Closed 20 years ago
View All link shows Edit link for attachments even when user does not have enough perms
Categories
(Bugzilla :: Attachments & Requests, defect)
Bugzilla
Attachments & Requests
Tracking
()
RESOLVED
WONTFIX
People
(Reporter: cesarb, Assigned: goobix)
References
()
Details
Attachments
(1 file, 1 obsolete file)
4.27 KB,
patch
|
kiko
:
review-
|
Details | Diff | Splinter Review |
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.3a) Gecko/20021123
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.3a) Gecko/20021123
I don't have enough priviledges to edit the patch at
http://bugzilla.mozilla.org/show_bug.cgi?id=181791 . So, the Edit link in the
Action column does not even appear. However, if I chose View All, the Edit link
is there.
Reproducible: Always
Steps to Reproduce:
1.Go to the bug with an account without enough priviledges
2.Click View All
3.Click the Edit link for the patch
Actual Results:
The link is there (and shows that ugly big red error message)
Expected Results:
The link should not appear
Updated•22 years ago
|
Status: UNCONFIRMED → NEW
Ever confirmed: true
Comment 1•22 years ago
|
||
The attachment.cgi code should really change to using Attachment.pm. That way we
get to show bug flags too
see also bug 140999
Assignee | ||
Comment 3•21 years ago
|
||
What this patch doesn't do (I'd prefer to do that in other opened bugs):
- a security review of attachment.cgi and its safety againest exploits, and if
some are detected, patches to cover up those holes.
- code redundancy elimination (we already do a lot of this with the current
patch; there is room for more, especially between
template/en/default/attachment/list.html.tmpl and
template/en/default/attachment/show-multiple.html.tmpl; I'd like to investigate
this more closely in another bug; in addition, the code in question is not
exactly identically, but this patch brings them a little bit closer to each
other).
Assignee: myk → vlad
Status: NEW → ASSIGNED
Assignee | ||
Updated•21 years ago
|
OS: Linux → All
Hardware: PC → All
Target Milestone: --- → Bugzilla 2.18
Assignee | ||
Comment 4•21 years ago
|
||
Attachment #145846 -
Attachment is obsolete: true
Assignee | ||
Updated•21 years ago
|
Attachment #145847 -
Flags: review?(kiko)
Comment 5•21 years ago
|
||
Comment on attachment 145847 [details] [diff] [review]
V2
>Index: attachment.cgi
>- my $privacy = "";
>- if (Param("insidergroup") && !(UserInGroup(Param("insidergroup")))) {
>- $privacy = "AND isprivate < 1 ";
>- }
Was this code obsolete? I just don't see any references to insidergroup in
Attachment.pm, but maybe I'm blind.
>- $a{'isviewable'} = isViewable($a{'contenttype'});
This I'm also left wondering about..
template/en/default/attachment/show-multiple.html.tmpl
>+[% canseeprivate = !Param("insidergroup") || UserInGroup(Param("insidergroup")) %]
> [% FOREACH a = attachments %]
>-
>+ [% IF !a.isprivate || canseeprivate %]
Oh, I see this here now. Hmmmm. Don't you think it might be a better idea to
pass a flag to query instead of omitting the data here in the template?
Assignee | ||
Comment 6•21 years ago
|
||
> Was this code obsolete? I just don't see any references to insidergroup in
> Attachment.pm, but maybe I'm blind.
That's because we pass the whole list to the template, and the template displays
only the attachment for which the security tokens are valid.
> >- $a{'isviewable'} = isViewable($a{'contenttype'});
>
> This I'm also left wondering about..
This makes non-viewable attachments for which the content-type doesn't allow to
show them in an iframe.
> Oh, I see this here now. Hmmmm. Don't you think it might be a better idea to
> pass a flag to query instead of omitting the data here in the template?
Keeping the things at the template-level is a nice approach in my opinion.
Comment 7•21 years ago
|
||
It would be better to pass canseeprivate to Bugzilla::Attachment::query for
performance (unnecessary data wouldn't be getting retrieved from the database
and sent to the template processor); simplicity of template logic (which makes
it easier for less experienced Bugzilla hackers to modify the look and feel);
and security (is consistent with other places in the codebase where we do the
same thing, exposes secure data in fewer places, and doesn't let it reach the
template, which might get edited by less experienced Bugzilla hackers).
Comment 8•21 years ago
|
||
It also ensures that other templates and clients of that form are aware of the
privacy issue.
Updated•21 years ago
|
Attachment #145847 -
Flags: review?(kiko) → review-
Comment 9•21 years ago
|
||
I was going to push this off, but it looks like it has current activity on it.
Anyone planning to finish this up soon?
Comment 10•20 years ago
|
||
Seems not :-| Dave: time to push this off?
Gerv
Updated•20 years ago
|
Target Milestone: Bugzilla 2.18 → Bugzilla 2.20
Comment 11•20 years ago
|
||
This bug has not been touched by its owner in over six months, even though it is
targeted to 2.20, for which the freeze is 10 days away. Unsetting the target
milestone, on the assumption that nobody is actually working on it or has any
plans to soon.
If you are the owner, and you plan to work on the bug, please give it a real
target milestone. If you are the owner, and you do *not* plan to work on it,
please reassign it to nobody@bugzilla.org or a .bugs component owner. If you are
*anybody*, and you get this comment, and *you* plan to work on the bug, please
reassign it to yourself if you have the ability.
Target Milestone: Bugzilla 2.20 → ---
Comment 12•20 years ago
|
||
Now that bug 274906 is fixed, all links in comments point to the "Edit
attachment" page and this page is now accessible to everybody thanks to the fix
from bug 274724. So we are perfectly consistent now. Users without sufficient
privs can access the page but cannot edit the attachment, in the same way
show_bug.cgi works (it let you see the bug, but not do changes if you haven't
editbugs privs).
Marking wontfix!
Status: ASSIGNED → RESOLVED
Closed: 20 years ago
Resolution: --- → WONTFIX
Updated•12 years ago
|
QA Contact: matty_is_a_geek → default-qa
You need to log in
before you can comment on or make changes to this bug.
Description
•