Defect #13762
openSCM auto status change bypassses roles and permissions
0%
Description
Hi,
Encountered unexpected behavior yesterday when i accidentally added a Git archive cloned from another site (buildroot in this case) which contained a lot of commit-messages like
"Closes #1123"
This ended up in a lot of actions like:
Updated by Anonymous about 9 hours ago Status changed from New to Resolved % Done changed from 0 to 100 Comment Edit Applied in changeset alleatoautomationplatform:buildroot|commit:4f0361ab2ca4f25207c84b557e31319c9a417a76.
This was not only in the project the Repository is in but sitewide.
The user Anonymous have no permissions set.
This differs in two ways from my expected behavior:
1) The anonymous user should not be able to close issues.
2) A repo commit should only be able to modify issues in the same project as the repo.
This is an old installation that have gone through several upgrades. Unfortunately I don't have time to reproduce it in a clean environment but I thought it might be best reporting it anyway since it is security related.
Ruby version 1.9.3 (x86_64-linux) RubyGems version 1.8.23 Rack version 1.4 Rails version 3.2.13 Active Record version 3.2.13 Action Pack version 3.2.13 Active Resource version 3.2.13 Action Mailer version 3.2.13 Active Support version 3.2.13 Middleware Rack::Cache, ActionDispatch::Static, Rack::Lock, #<ActiveSupport::Cache::Strategy::LocalCache::Middleware:0x0000000289ede0>, Rack::Runtime, Rack::MethodOverride, ActionDispatch::RequestId, Rails::Rack::Logger, ActionDispatch::ShowExceptions, ActionDispatch::DebugExceptions, ActionDispatch::RemoteIp, ActionDispatch::Callbacks, ActiveRecord::ConnectionAdapters::ConnectionManagement, ActiveRecord::QueryCache, ActionDispatch::Cookies, ActionDispatch::Session::CookieStore, ActionDispatch::Flash, RedmineDmsf::NoParse, ActionDispatch::ParamsParser, ActionDispatch::Head, Rack::ConditionalGet, Rack::ETag, ActionDispatch::BestStandardsSupport, OpenIdAuthentication Application root /var/www/redmine-2.2 Environment production Database adapter mysql2 Database schema version 20121026003537
Thanks in advance and thank you for a great product. We love it!
Marcus
Related issues
Updated by Toshi MARUYAMA over 11 years ago
- Status changed from New to Confirmed
- Target version set to 2.3.1
Updated by Toshi MARUYAMA over 11 years ago
- Target version changed from 2.3.1 to 2.4.0
Updated by Toshi MARUYAMA over 11 years ago
- Subject changed from Repositories bypassses roles and pesmissions to SCM auto status change bypassses roles and pesmissions
Updated by Etienne Massip over 11 years ago
I disagree with this one, Anonymous here is not the Redmine anonymous user but a developer which has commit access to the repository and which SCM identifier is not mapped to an actual Redmine user, this is far from being a lambda person but a member of the project.
This should not be touched IMHO.
Updated by Marcus Rejås over 11 years ago
Etienne Massip wrote:
I disagree with this one, Anonymous here is not the Redmine anonymous user but a developer which has commit access to the repository and which SCM identifier is not mapped to an actual Redmine user, this is far from being a lambda person but a member of the project.
This should not be touched IMHO.
I understand but it might lead to security breaches. You say that the person is being member of the project, but really it is member of any project. So if a committer by accident or on purpose mistypes the issue-id or enters one belonging to an external ticket system he or she might change things in a project where he or she might not have access. The person who made the mistake will not then be alerted at all and have no way to correct the problem.
My solution is to add three configuratoin options to the repos.
[] Allow altering of tickets through commit messages
[] Allow system wide altering of tickets through commit messages
[] Allow Non-mapped users in the repo to alter tickets through commit messages
We track external repos in some projects and this led to some confusion (to say the least) ...
Updated by Toshi MARUYAMA over 11 years ago
- Related to Defect #14276: Limit users than can reference and fix issues in commit messages added
Updated by Toshi MARUYAMA over 11 years ago
- Related to deleted (Defect #14276: Limit users than can reference and fix issues in commit messages)
Updated by Toshi MARUYAMA over 11 years ago
- Has duplicate Defect #14276: Limit users than can reference and fix issues in commit messages added
Updated by Etienne Massip over 11 years ago
- Subject changed from SCM auto status change bypassses roles and pesmissions to SCM auto status change bypassses roles and permissions
Updated by Toshi MARUYAMA over 11 years ago
- Has duplicate Defect #14826: Project permissions not respected in Fix/Reference commit added
Updated by Jean-Philippe Lang about 11 years ago
- Target version changed from 2.4.0 to Candidate for next major release
The root problem should be fixed by r4823 which disables issue updates when importing old commits. The requested option "Allow system wide altering of tickets through commit messages" is also already available as "Allow issues of all the other projects to be referenced and fixed".
Updated by Mischa The Evil about 11 years ago
Updated by Toshi MARUYAMA about 11 years ago
- Related to Feature #4823: Don't evaluate commit-message "refs, closes, ..." when adding a repository added
Updated by Go MAEDA almost 9 years ago
- Has duplicate Feature #13792: Fixing via git push should not break workflow added
Updated by Go MAEDA 6 months ago
- Is duplicate of Defect #40874: Status change by commit added