New configs to restrict access to Export and Print issues #1810
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
On second thoughts, considering that the Print Reports functionality can be leveraged to perform DOS attacks, I'll set $g_print_reports_threshold to a safer default of |
|
The last 5 commits are just code cleanup |
atrol
reviewed
May 13, 2022
atrol
approved these changes
May 13, 2022
vboctor
approved these changes
May 16, 2022
Restricts access to export functions.
Display export buttons only if access level is valid
Allow CSV content generation according to new configuration parameter
Allow Excel Export content generation according to new configuration parameter
Add new configuration option information
according to atrol suggestion during code review
code is readable enough without temp variable
According to atrol suggestion during code review
Based on vboctor comments
Remove help provided in description for 6 configuration options
Add the new option in config file Use the new configuration option in code option documented
Considering that the Print Reports functionality can be leveraged to perform DOS attacks, it is safer to set $g_print_reports_threshold* to `UPDATER`, so it is not accessible out of the box by anonymous or self-registered users.
Having the write_bug_rows() function in the middle of the markup makes the code difficult to read and defeats the purpose of having it a function in the first place...
Issue #22224
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Add 2 new config options, $g_print_reports_threshold and $g_export_issues_threshold (both defaulting to
VIEWER), to restrict access to the mass export functions on view_all_bugs_page.php:Fixes #22224, #25492
This replaces PR #1021, which I finally got around to reviewing. The code looks good and tested OK with just a minor correction: adding a missing access check in print_all_bug_page_word.php.
Many thanks @MrBricodage for the initial submission and your work on this, with our apologies for taking so long to handle it.