•  
     
    story #10677 ensure query is consistent before execution
Summary
Empty
ensure query is consistent before execution

I don't query on fields/tracker/project I'm not allowed to see

Introduce a runtime check to ensure that everything that will happen after is done on right bases (structure, permission, etc).

In that step, we focus on Permissions, it means that prior to execute any query there should be a check to ensure that current user has the right to

  • Access all projects involved in the query
  • Access all trackers involved in the query
  • Access all fields used in the search query
  • Access all columns displayed in the result

If at least one of the condition is not met, users get an error message telling them their not allowed to see the content for one of the reason above.

To avoid any leak of information, the error message only mention the category of error the user is in (eg "You cannot access all trackers of the search") but doesn't point out which one.

Empty
Empty
Status
Empty
Done
Development
  • [ ] Does it involves User Interface? 
  • [ ] Are there any mockups?
  • [ ] Are permissions checked?
  • [ ] Does it need Javascript development?
  • [ ] Does it need a forge upgrade bucket?
  • [ ] Does it need to execute things in system events?
  • [ ] Does it impact project creation (templates)?
  • [ ] Is it exploratory?
Empty
Details
#10677
Manuel Vacelet (vaceletm)
2017-11-29 09:00
2017-09-21 14:09
4426

References

Follow-ups

User avatar
Thomas Gerbet (tgerbet)2017-11-24 11:26
  • So that
    Something went wrong, the follow up content couldn't be loaded
    Only formatting have been changed, you should switch to markup to see the changes
  • Acceptance criteria
    Something went wrong, the follow up content couldn't be loaded
    Only formatting have been changed, you should switch to markup to see the changes
  • Status changed from Ready (stalled) to On going
  • Permissions set to