Defect #37187
closed
no-permission-check allows issue creation in closed/archived projects
Added by Felix Schäfer over 2 years ago.
Updated over 2 years ago.
Description
Setting --no-permission-check in the mail receiver allows creating issues and probably other objects in closed and archived projects. This is probably not what this option is intended for.
Files
We will work on a patch and submit it here.
The attached patch adds 2 tests demonstrating the problem when sending an email that would created a new issue. The patch also contains a proposed fix.
- Target version set to 4.2.7
Setting the target version to 4.2.7.
Thank you. We are currently working on another patch that would introduce a different Error class for this case. This would be useful for plugins that need to differentiate between "this is not possible in that project" and "this is not possible for this user".
Could you please hold back on applying this patch? Do you think having different Error classes for those 2 cases could be useful? We will propose another one shortly.
Please see the attached patch. It adds subclasses for UnauthorizedAction that allows backwards compatibility for code using UnauthorizedAction but still allows differentiating the error cases.
- Status changed from New to Closed
- Assignee set to Marius BĂLTEANU
- Resolution set to Fixed
Felix, patch committed and merged to stable branches. Thanks for reporting and fixing the issue!
Also available in: Atom
PDF
Updated by 
Updated by 
Updated by