Skip to main content

Public

Project privacy set to public. By default, its content is available to everyone (authenticated or not). Please note that more restrictive permissions might exist on some items.

  •  
     
    story #10677 ensure query is consistent before execution
Actions
Summary
Empty
ensure query is consistent before execution

I don't query on fields/tracker/project I'm not allowed to see

Introduce a runtime check to ensure that everything that will happen after is done on right bases (structure, permission, etc).

In that step, we focus on Permissions, it means that prior to execute any query there should be a check to ensure that current user has the right to

  • Access all projects involved in the query
  • Access all trackers involved in the query
  • Access all fields used in the search query
  • Access all columns displayed in the result

If at least one of the condition is not met, users get an error message telling them their not allowed to see the content for one of the reason above.

To avoid any leak of information, the error message only mention the category of error the user is in (eg "You cannot access all trackers of the search") but doesn't point out which one.

Empty
Empty
Status
Empty
Done
Development
  • [ ] Does it involves User Interface? 
  • [ ] Are there any mockups?
  • [ ] Are permissions checked?
  • [ ] Does it need Javascript development?
  • [ ] Does it need a forge upgrade bucket?
  • [ ] Does it need to execute things in system events?
  • [ ] Does it impact project creation (templates)?
  • [ ] Is it exploratory?
Empty
Details
#10677
Manuel Vacelet (vaceletm)
2017-11-29 09:00
2017-09-21 14:09
4427

References
Artifact links
Empty
Referencing story #10677

Artifact Tracker v5

epic #10407 Cross tracker search
story #10678 define a query for title and description semantics
rel #10588 9.15

Git commit

tuleap/tuleap/stable

Ensure preemptively that users can access to all trackers of the cross-tracker search dd6d00a90b
User avatar Thomas Gerbet (tgerbet) , 2017-11-24 19:06
Ensure preemptively that users can access to all projects of the cross-tracker search de56051453
User avatar Thomas Gerbet (tgerbet) , 2017-11-27 11:20
Ensure preemptively that users can access to all search fields of the cross-tracker search f03c7038b9
User avatar Thomas Gerbet (tgerbet) , 2017-11-27 16:28
Ensure preemptively that users can access to all column fields of the cross-tracker search f90be36d41
User avatar Thomas Gerbet (tgerbet) , 2017-11-28 12:11
Display an error message adapted to the permission error encountered 2398cc3972
User avatar Thomas Gerbet (tgerbet) , 2017-11-28 16:47
Display settings

Follow-ups

User avatar
Thomas Gerbet (tgerbet)2017-11-24 11:26
  • So that
    Something went wrong, the follow up content couldn't be loaded
    Only formatting have been changed, you should switch to markup to see the changes
  • Acceptance criteria
    Something went wrong, the follow up content couldn't be loaded
    Only formatting have been changed, you should switch to markup to see the changes
  • Status changed from Ready (stalled) to On going
  • Permissions set to