weixin_39952502
weixin_39952502
2020-12-09 03:50

rpc: harden closeIssue access checks/validation

similarly to #280, validate parameters at server side.

i didn't bother to think much, just added similar checks as #280 has:

php
        $this->checkIssuePermissions($issue_id);
        $this->checkIssueAssignment($issue_id);


        if (!Access::canChangeStatus($issue_id, $usr_id)) {
            throw new RemoteApiException("User has no access to update issue #$issue_id");
        }

also checks if issue is not already closed:

php

        if (Issue::isClosed($issue_id)) {
            throw new RemoteApiException("Issue #$issue_id already closed");
        }

该提问来源于开源项目:eventum/eventum

  • 点赞
  • 写回答
  • 关注问题
  • 收藏
  • 复制链接分享
  • 邀请回答

6条回答

  • weixin_39952502 weixin_39952502 5月前

    also, i think i found bug:

    php
            // FIXME: this doesn't validate that the status belongs to $issue_id's project
            $status_id = Status::getStatusID($new_status);
            if (!$status_id) {
                throw new RemoteApiException("Invalid status: $new_status");
            }
    

    how do you suggest to fix this (if at all) is there already method for that?

    点赞 评论 复制链接分享
  • weixin_39952502 weixin_39952502 5月前

    ping, also have you finished your parts for 3.3.0 release?

    点赞 评论 复制链接分享
  • weixin_39863371 weixin_39863371 5月前

    Sorry I totally missed this. Review submitted.

    I don't think I had anything else for 3.3.0, just merging the attachment changes. If you know of anything, let me know and I'll knock it out.

    点赞 评论 复制链接分享
  • weixin_39952502 weixin_39952502 5月前

    documentation update that 5.6 is now required version. this what i had in mind.

    点赞 评论 复制链接分享
  • weixin_39863371 weixin_39863371 5月前

    I've updated the docs to say that only 5.6 is supported now.

    点赞 评论 复制链接分享
  • weixin_39952502 weixin_39952502 5月前

    i'm fine with making 3.3.0 release. altho i can't test it myself before having applied attachments PR. haven't figured out do i need to increase storage for mysql partition or not. or how much...

    actually created #300 for this (3.0.0 for #300 nice coincidence!)

    点赞 评论 复制链接分享

相关推荐