New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

View attachment fail with 500 ISE #160

Closed
Ariusxiang opened this Issue Dec 27, 2017 · 4 comments

Comments

Projects
None yet
4 participants
@Ariusxiang

Ariusxiang commented Dec 27, 2017

WARNING: do not publically report security issues in the bug tracker!
Ping us via email to coordinate the fix and disclosure of the problem!

Description of problem

https://demo.kiwitcms.org/case/71/#attachment

Component (web, API, etc)

web

How often reproducible

100%

Steps to Reproduce

  1. Browse into a test case
  2. upload a png file as attachment
  3. view the uploaded file on step 2

Actual results

500 ISE error page

Expected results

Showing the attachment or download the attachment

atodorov added a commit that referenced this issue Dec 30, 2017

Use MEDIA_ROOT instead of FILE_UPLOAD_DIR setting. Related to #160
- serve these files locally in DEBUG mode
- serve the uploads directory via Apache in production

atodorov added a commit that referenced this issue Dec 30, 2017

Use django-attachments for user uploaded files. Fixes #160
- remove tcms/core/files.py
- remove now-unused home-grown attachment models
- remove related factories and update tests
- update templates
- update JavaScript files (remove unnecessary parts)
- update default permissions

As part of this change we no longer copy Plan and Case
attachments when cloning these objects.

NOTE: Since django-attachments introduces new permission objects
you will have to adjust default permissions for existing users.
In order for them to be able to upload/delete their own files they
need to have `attachments.add_attachment` and `atachments.delete_attachment`
permissions.

These same permissions are added by default to the 'Tester' group.
If you are running an existing installation registering a new user
with Kiwi TCMS will update the default permissions for this group!

Migrations for 'testcases':
    - Remove field attachment from testcaseattachment
    - Remove field case from testcaseattachment
    - Remove field case_run from testcaseattachment
    - Remove field attachment from testcase
    - Delete model TestCaseAttachment
Migrations for 'testplans':
    - Remove field attachment from testplanattachment
    - Remove field plan from testplanattachment
    - Remove field attachment from testplan
    - Delete model TestPlanAttachment
Migrations for 'management':
    - Remove field submitter from testattachment
    - Remove field attachment from testattachmentdata
    - Delete model TestAttachment
    - Delete model TestAttachmentData

atodorov added a commit that referenced this issue Dec 30, 2017

Use MEDIA_ROOT instead of FILE_UPLOAD_DIR setting. Related to #160
- serve these files locally in DEBUG mode
- serve the uploads directory via Apache in production

@atodorov atodorov closed this in 48f14ea Dec 30, 2017

@calvinmqc

This comment has been minimized.

Show comment
Hide comment
@calvinmqc

calvinmqc Apr 12, 2018

I noticed another issue with 4.1.0 version:

Browse into a test plan > test case > Attachment
Click the add button besides "Add attachment"
It redirects me to the login page right away (not show the wizard to select attachment)

If I use root account, this issue does not happen. Initially I thought this is related to the user permissions. Therefore I tested it as below:

Login as root, go to Groups, go to Tester
Add all available permissions on the left panel to the right panel
Save
Login again as one user under Tester group, try to add attachment and the issue is still the same

Login as root, go to Users, click the test user
Add all available permissions on the left panel to the right panel
Save
Login again as the test user I just modified, add an attachment but the issue is still the same

However, if I go to Users, click the test user, check the Superuser option, save it. Then the issue does not reoccur. So it looks like only super user (root) can add attachment successfully in this version.

I do plan to upgrade to the latest version. But when I check the release note, it does not mention this issue so I assume it will still be the same even after I upgrade to the latest version.

Any suggestion? Thanks for your time! @atodorov

calvinmqc commented Apr 12, 2018

I noticed another issue with 4.1.0 version:

Browse into a test plan > test case > Attachment
Click the add button besides "Add attachment"
It redirects me to the login page right away (not show the wizard to select attachment)

If I use root account, this issue does not happen. Initially I thought this is related to the user permissions. Therefore I tested it as below:

Login as root, go to Groups, go to Tester
Add all available permissions on the left panel to the right panel
Save
Login again as one user under Tester group, try to add attachment and the issue is still the same

Login as root, go to Users, click the test user
Add all available permissions on the left panel to the right panel
Save
Login again as the test user I just modified, add an attachment but the issue is still the same

However, if I go to Users, click the test user, check the Superuser option, save it. Then the issue does not reoccur. So it looks like only super user (root) can add attachment successfully in this version.

I do plan to upgrade to the latest version. But when I check the release note, it does not mention this issue so I assume it will still be the same even after I upgrade to the latest version.

Any suggestion? Thanks for your time! @atodorov

@atodorov

This comment has been minimized.

Show comment
Hide comment
@atodorov

atodorov Apr 13, 2018

Member

@calvinmqc please retest with the latest 4.1.4 version and report as a new issue if you still see problems.

Member

atodorov commented Apr 13, 2018

@calvinmqc please retest with the latest 4.1.4 version and report as a new issue if you still see problems.

@calvinmqc

This comment has been minimized.

Show comment
Hide comment
@calvinmqc

calvinmqc May 11, 2018

I upgrade to 4.1.4 version today and test the attachment feature.
There is no change. I can reproduce the issue with the previous steps.
It is exactly the same symptom so I think it is a bug.
The only way to workaround it now is to change the test user to be a root account.

calvinmqc commented May 11, 2018

I upgrade to 4.1.4 version today and test the attachment feature.
There is no change. I can reproduce the issue with the previous steps.
It is exactly the same symptom so I think it is a bug.
The only way to workaround it now is to change the test user to be a root account.

@andyflury

This comment has been minimized.

Show comment
Hide comment
@andyflury

andyflury May 26, 2018

The issue still seems to be there with the latest docker image.
I still get a 500 ISE error page when trying to upload files (even with the root account)
Is there maybe an older version of Kiwi that I can use where uploads still worked ?

andyflury commented May 26, 2018

The issue still seems to be there with the latest docker image.
I still get a 500 ISE error page when trying to upload files (even with the root account)
Is there maybe an older version of Kiwi that I can use where uploads still worked ?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment