when using all_files-plugin this plugin breaks security

[bashforever]

I am using all_files-plugin in combination with your (great!) extended_watcher_plugin. I created a "watcher"-role which literally has no rights at all (even no ticket access) and have set ticket security to "view assigned tickets". Then I set for a test-user the role watcher within a existing project. The watcher then is restricted to tickets which he is watching (correct). In top menu all_files is globally available. If the watcher selects this, then (literally) all files of the project are visible and every associated ticket can be selected and viewed.

I did test the behaviour of all_files with the "assigned"-security and without the extended_watcher plugin and all_files worked OK allowing access only to those files with assigned tickets.

My request: I think extended_watchers breaks somewhere security used otherwise by all_files correctly. Could you please investigate? Thanks a lot.

Here my configuration:

Environment: Redmine version 2.2.4.stable Ruby version 1.8.7 (x86_64-linux) Rails version 3.2.13 Environment production Database adapter MySQL Redmine plugins: redmine_all_files 0.0.3 redmine_didyoumean 1.2.0 redmine_extended_watchers 0.0.4 redmine_monitoring_controlling 0.1.1

[maxrossello]

It could be obviously easier for the all_files plugin owner to inspect about the incompatibility about our plugins, since he knows the queries he's doing. I will nevertheless try to understand the problem, but I can promise to do that in best effort only, since this is not an issue in my company's Redmine environment.

In the meanwhile, you could maybe try if operating in other way may suite your needs. For example, you may assign literally no role, and make interested people just watch those issues (with no issue assignment). Is the files view still too open?

Thanks for the feedback

[bashforever]

Thanks for the fast reply. I tried your suggestion with assigning no role at all within the project to the test user. Now behaviour is as follows:

• the project is not visible at all to the test-user. this also works fine for all_files: nothing visible (everything OK)

Now assign the testuser as watcher to an issue:

• the project containing the watched issue is now available in projects-tab but selecting the project shows an internal error (OK but not nice)
• on "my site" the watched issue is shown correctly and can be selected and details shown (OK)
• all_files from top menu now shows again all files of the project (and the files can be accessed) even though the user has no rights at all and is not able to open the project via "projects", BUT the issues themselves can no longer be selected (showing 403 - no rights) - IMPROVEMENT

so this kind of configuration is an improvement.

could you please verify: if there is no right for the project at all (and the testuser is just watcher of an issue), selecting the project yields an redmine internal error (you have to go "back" in your browser)? If you could reproduce this and change to a "403 no permission" this would be (meanwhile) the way to go for me. The files being selectable is kind of problem of all_files plugin.

Thanks!

W.

[maxrossello]

Hi, people who is just watching issues in a project should see only the Issues tab with no other tabs present (neither Overview). There, the user should see the watched issues only. This is the intended behaviour, if not so either there is a bug or another incompatibility with some plugin. Please post a log if you can.

So, in summary this are the inspection points:

• with (empty) role applied, all_files shows all file entries and related issues only if extended_watchers is enabled

  browsing the issues should anyway return 403. All_files can be addressed a bug for displaying issues not visible to the user in the following point's context.

• error 500 while accessing the project as intended by extended_watchers with no roles applied, to be possibly checked for incompatibility with some other plugin in the list (all_files, didyoumean, monitoring_controlling).

Thank you

[bashforever]

Hi Max,

people who is just watching issues in a project should see only the Issues tab with no other tabs present (neither Overview). There, the user should see the watched issues only. This is the intended behaviour, if not so either there is a bug or another incompatibility with some plugin. Please post a log if you can

true: that is the observed beaviour (I cleared up the log but testing did not produce any log entries)

with (empty) role applied, all_files shows all file entries and related issues only if extended_watchers is enabled

true

browsing the issues should anyway return 403

true

All_files can be addressed a bug for displaying issues not visible to the user in the following point's context.

I will do that

error 500 while accessing the project as intended by extended_watchers with no roles applied, to be possibly checked for incompatibility with some other plugin in the list (all_files, didyoumean, monitoring_controlling).

true: Thanks

Thank you again!

Williwow

[maxrossello]

Hi, i do not get one thing: do you observe that, with no roles applied but watching some issue, visiting a project reports the intended behaviour or does it return error 500? Or does it depend from further conditions, e.g. only in presence of other plugins?

[bashforever]

Hi,

with no roles applied (for the given project), the project becomes visible in projects-tab as soon the testuser becomes watcher of at least one ticket. So: watching no tickets the project ist strictly unvisible, watching a ticket the project-link (!) becomes visible. Clicking the project-link (either from projects or from my-site.ticket-list) yields an the entirely white Internal-Error-page (there is no 500 - I was not precise on that) with only a browser-back-link.

I did not check the behaviour with uninstall of other plugins.

If you do not observe this I will attribute this to interference from other plugins and you can close the issue,

Thanks (from Austria)!

Williwow

[maxrossello]

watching no tickets the project is strictly unvisible, watching a ticket the project-link (!) becomes visible

this is correct. When I then click on the project link displayed into /projects, I can see just the watched issues list and no other tab in the project.

So, the white page error could be interference from other plugin but could also be my plugin not fully compatible with redmine 2.2 (I test on 2.3.3). My suggestion for you is to keep your Redmine updated to the second-latest supported branch (currently 2.3, latest is 2.4) in order to find, generally, better support from plugin developers, because it's a pain to test on older releases.

Regards, Max

[bashforever]

Thanks a lot for investigating! I will upgrade next year to latest stable version.

Regards

Williwow