•  
     
    story #20986 see tuleap artifact title in GitLab
Summary
developer
see tuleap artifact title in GitLab

I got a chance to get references errors (eg. using TULEAP-1235 instead of TULEAP-1234)

At commit time

When TULEAP-XXX is present in a commit message, a Merge Request (MR) title or description or in a tag:

  • and XXX is an artifact part of the Tuleap project the GitLab repository is integrated with
  • and XXX has a title semantic
  • and the title field is readable by "all_users" (regardless of the permission of the project)

Then, the Tuleap Bot comment with message:

This X references: [TULEAP-XXX title](https://...).

Artifact lifecycle

When artifact XXX title is updated and the permission of the field are still READ to all_users, Tuleap Bot will push the new title:

Referenced Tuleap artifact TULEAP-XXX was renamed to [TULEAP-XXX new title](https://...).

Security guards

Protections again possible exfiltration of data by malicious GitLab user. That is to say that someone using the GitLab instance to craft commits or MR to enumerate Tuleap artifacts "TULEAP-1, TULEAP-2, ...." to get access to data that might be confidential on the Tuleap instance.

To prevent this exfiltration of data:

  • When a GitLab repository is linked to a Tuleap, reference (TULEAP-XXX) can only be made to artifacts within the project (artifact 1234 must be part of the Tuleap project).
    • If it's not, the Tuleap Bot will comment on the MR with "TULEAP-XXX not found in project YYYY"
  • For the title to be included in the message, the data must already be public:
    • The platform must be open to anonymous
    • The Tuleap project the referenced artifact belongs to must be public
    • The tracker the artifact belongs to must be accessible to "all_users"
    • the Read permission of the Title field must be set to "all_users", otherwise it's only the bare link.
Empty
Empty
Status
Empty
Canceled
Development
  • [ ] Does it involves User Interface? 
  • [ ] Are there any mockups?
  • [ ] Are permissions checked?
  • [ ] Does it need Javascript development?
  • [ ] Does it need a forge upgrade bucket?
  • [ ] Does it need to execute things in system events?
  • [ ] Does it impact project creation (templates)?
  • [ ] Is it exploratory?
Empty
Details
#20986
Manuel Vacelet (vaceletm)
2021-05-07 14:44
2021-05-03 09:41
3777

References

Follow-ups

User avatar
  • Acceptance criteria
    Something went wrong, the follow up content couldn't be loaded
    Only formatting have been changed, you should switch to markup to see the changes
User avatar
  • Acceptance criteria
    Something went wrong, the follow up content couldn't be loaded
    Only formatting have been changed, you should switch to markup to see the changes