Project

General

Profile

Actions
Copy link

Defect #13762

open

SCM auto status change bypassses roles and permissions

Added by Marcus Rejås over 11 years ago. Updated about 11 years ago.

Status:
Confirmed
Priority:
Normal
Assignee:
-
Category:
SCM
Target version:
Candidate for next major release
Start date:
Due date:
% Done:

0%

Estimated time:
Resolution:
Affected version:

Description

Hi,

Encountered unexpected behavior yesterday when i accidentally added a Git archive cloned from another site (buildroot in this case) which contained a lot of commit-messages like

"Closes #1123"

This ended up in a lot of actions like:

Updated by Anonymous about 9 hours ago

    Status changed from New to Resolved
    % Done changed from 0 to 100

Comment Edit

Applied in changeset alleatoautomationplatform:buildroot|commit:4f0361ab2ca4f25207c84b557e31319c9a417a76.

This was not only in the project the Repository is in but sitewide.

The user Anonymous have no permissions set.

This differs in two ways from my expected behavior:

1) The anonymous user should not be able to close issues.
2) A repo commit should only be able to modify issues in the same project as the repo.

This is an old installation that have gone through several upgrades. Unfortunately I don't have time to reproduce it in a clean environment but I thought it might be best reporting it anyway since it is security related.

Ruby version              1.9.3 (x86_64-linux)
RubyGems version          1.8.23
Rack version              1.4
Rails version             3.2.13
Active Record version     3.2.13
Action Pack version       3.2.13
Active Resource version   3.2.13
Action Mailer version     3.2.13
Active Support version    3.2.13
Middleware                Rack::Cache, ActionDispatch::Static, Rack::Lock, #<ActiveSupport::Cache::Strategy::LocalCache::Middleware:0x0000000289ede0>, Rack::Runtime, Rack::MethodOverride, ActionDispatch::RequestId, Rails::Rack::Logger, ActionDispatch::ShowExceptions, ActionDispatch::DebugExceptions, ActionDispatch::RemoteIp, ActionDispatch::Callbacks, ActiveRecord::ConnectionAdapters::ConnectionManagement, ActiveRecord::QueryCache, ActionDispatch::Cookies, ActionDispatch::Session::CookieStore, ActionDispatch::Flash, RedmineDmsf::NoParse, ActionDispatch::ParamsParser, ActionDispatch::Head, Rack::ConditionalGet, Rack::ETag, ActionDispatch::BestStandardsSupport, OpenIdAuthentication
Application root          /var/www/redmine-2.2
Environment               production
Database adapter          mysql2
Database schema version   20121026003537

Thanks in advance and thank you for a great product. We love it!

Marcus

Related issues

Related to Redmine - Feature #4823: Don't evaluate commit-message "refs, closes, ..." when adding a repositoryNew2010-02-12

Actions
Has duplicate Redmine - Defect #14276: Limit users than can reference and fix issues in commit messagesClosed

Actions
Has duplicate Redmine - Defect #14826: Project permissions not respected in Fix/Reference commitClosed

Actions
Has duplicate Redmine - Feature #13792: Fixing via git push should not break workflowClosed

Actions
Is duplicate of Redmine - Defect #40874: Status change by commitClosed

Actions
Actions
Copy link

Also available in: Atom PDF