New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Handler access checks in SOAP API #518
Conversation
The mc_issue_add() API was missing a check to validate that specified handler has the appropriate access level. Fixes #16993
The mc_issue_update() wasn't check if the handler has access level to handle issues.
Users who report an issue with handler set must have the access level required to assign issues. Issue #16993
if( ( $t_handler_id != 0 ) && !user_exists( $t_handler_id ) ) { | ||
return SoapObjectsFactory::newSoapFault( 'Client', 'User \'' . $t_handler_id . '\' does not exist.' ); | ||
if( $t_handler_id != 0 ) { | ||
if( !access_has_project_level( config_get( 'update_bug_assign_threshold' ), $t_project_id, $t_user_id ) ) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe it's worth extracting the validation code in a separate function.
+1 otherwise
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Will revise.
Disclose the handler id only if the user has the appropriate access level to see such information. Issue #16993
Move the check to a shared method used by mc_issue_add() and mc_issue_update(). Issue #16993
@rombert I've applied the refactoring and also added a missing check to mc_issue_get() for user having access to view the user assigned the issue. |
@vboctor - if I read the core correctly, mci_issue_handler_access_check, potentiall returns a soap_fault. Should the calling methods check for that and return the soap_fault if applicable? It does not trigger an error or throw an exception so it does not affect the flow control. |
Now that access check is done in its own function, the caller need to propagate the soap faults since we are not using real exceptions (unfortunately!).
@rombert I fixed the check for soap. My mind switched to exceptions mode :) |
@vboctor :-) +1 |
The mc_issue_add() and mc_issue_update() APIs were missing checks to validate that specified handler has the appropriate access level and that logged in user have access level to assign issues.
mc_issue_get() was also missing the check that the user has access to view the handler assigned the issue.
I suggest that we port this fix to master-1.2.x to make it in 1.2.18.
Fixes #16993