Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

rpc: harden closeIssue access checks/validation #287

Merged
merged 5 commits into from Sep 30, 2017
Merged

rpc: harden closeIssue access checks/validation #287

merged 5 commits into from Sep 30, 2017

Conversation

glensc
Copy link
Member

@glensc glensc commented Sep 6, 2017
edited

similarly to #280, validate parameters at server side.

i didn't bother to think much, just added similar checks as #280 has:

        $this->checkIssuePermissions($issue_id);
        $this->checkIssueAssignment($issue_id);


        if (!Access::canChangeStatus($issue_id, $usr_id)) {
            throw new RemoteApiException("User has no access to update issue #$issue_id");
        }

also checks if issue is not already closed:

        if (Issue::isClosed($issue_id)) {
            throw new RemoteApiException("Issue #$issue_id already closed");
        }

@glensc glensc requested a review from balsdorf September 6, 2017 21:33
@glensc glensc added this to the 3.3.0 milestone Sep 6, 2017
@glensc
Copy link
Member Author

glensc commented Sep 6, 2017

also, i think i found bug:

        // FIXME: this doesn't validate that the status belongs to $issue_id's project
        $status_id = Status::getStatusID($new_status);
        if (!$status_id) {
            throw new RemoteApiException("Invalid status: $new_status");
        }

how do you suggest to fix this (if at all) is there already method for that?

@glensc glensc mentioned this pull request Sep 6, 2017
Merged
@glensc
Copy link
Member Author

glensc commented Sep 29, 2017

@balsdorf ping, also have you finished your parts for 3.3.0 release?

balsdorf
balsdorf reviewed Sep 29, 2017
View reviewed changes
Copy link
Contributor

@balsdorf balsdorf left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks good. I've added one specific comment about the bug you reported and once that is fixed this looks good to merge.

src/RPC/RemoteApi.php Outdated
$status_id = Status::getStatusID($new_status);
if (!$status_id) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For this I'd change it to

if (!$status_id || !in_array(Issue::getProjectID($issue_id), Status::getAssociatedProjects($status_id)) {

which will take care of checking if the status belongs to the project.

@balsdorf
Copy link
Contributor

Sorry I totally missed this. Review submitted.

I don't think I had anything else for 3.3.0, just merging the attachment changes. If you know of anything, let me know and I'll knock it out.

@glensc
Copy link
Member Author

glensc commented Sep 30, 2017

documentation update that 5.6 is now required version. this what i had in mind.

@glensc glensc merged commit fee4b53 into eventum:master Sep 30, 2017
@glensc glensc deleted the close-issue-rpc branch September 30, 2017 12:25
@balsdorf
Copy link
Contributor

balsdorf commented Oct 2, 2017

@glensc I've updated the docs to say that only 5.6 is supported now.

@glensc
Copy link
Member Author

glensc commented Oct 2, 2017

i'm fine with making 3.3.0 release. altho i can't test it myself before having applied attachments PR. haven't figured out do i need to increase storage for mysql partition or not. or how much...

actually created #300 for this (3.0.0 for #300 nice coincidence!)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@balsdorf balsdorf balsdorf left review comments

Assignees
No one assigned
Labels
None yet
Milestone
3.3.0
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@glensc @balsdorf