stable
Clone or download
Fix request #38259 ID confusion in query for bulk check of Artifact permissions
How to test: The following command should succeed make tests-db SEED=1716305341 Why? Since the permission type was not checked, there was an ID collision with this seed. Tracker ID = 2 is supposed to be closed (not accessible to current user), but Artifact ID = 2 is open as there is a specific permission on artifact for it. As the type is not checked, the query will therefore find a permission on an object with ID = 2, and falsely assume that user can therefore read Tracker 2. It will raise Artifact ID = 4 (which belongs to Tracker 2) as readable. It turns out the check of tracker permissions is done again, more thoroughly, in calling PHP code in TrackersPermissionsRetriever. This means we can simply drop the join in the DB query. It leaves three cases to the query: 1. No permission is set on the artifact. It returns its ID, so that the tracker permissions may apply. 2. Permission on artifact includes one of the user groups of the user. It returns the artifact ID. 3. Permission on artifact does not include any of the user groups of the user. It does not return the artifact ID. Change-Id: Ia0b6e45ab3b7a7999528fd45fbb4cfe7664ddff4
Modified Files
| Name | ||||
|---|---|---|---|---|
| M | plugins/tracker/include/Tracker/Permission/TrackersPermissionsDao.php | +3 | −9 | Go to diff View file |
| M | plugins/tracker/tests/integration/Permission/TrackersPermissionsDaoOnArtifactsTest.php | +31 | −19 | Go to diff View file |