|
If you were logged in you would be able to see more operations.
|
|
|
JIRA
Created: 19/Jul/06 02:01 AM
Updated: 12/Feb/08 02:53 AM
|
|
| Component/s: |
Permissions Security
|
| Affects Version/s: |
3.6.3
|
| Fix Version/s: |
None
|
|
|
Time Tracking:
|
|
Original Estimate:
|
2 days
|
|
|
Remaining Estimate:
|
2 days
|
|
|
Time Spent:
|
Not Specified
|
|
|
|
|
File Attachments:
|
1.
AbstractIssueSelectAction.java (12 kb)
|
|
Issue Links:
|
Duplicate
|
|
|
|
This issue is duplicated by:
|
|
JRA-6140
Session Expiration and Resolve Issue
|
|
|
|
|
Reference
|
|
This issue relates to:
|
|
|
JRA-10013 User timeout exception for transition/create issue
|
|
|
|
 |
JRA-9171
A timed out session causes stacktraces in half-completed actions
|
|
|
|
|
|
JRA-11078 Better display of exception when users trying to perform operations (ManageWatcher) while not logged in.
|
|
|
|
|
|
This issue is related to:
|
|
|
JRA-5761 Session timeout should be handled more gracefully.
|
|
|
|
|
JRA-9815
Permission error on resolve when setting post workflow action to assign back to reporter
|
|
|
|
|
|
|
JRA-10205 was reported regarding the displaying of issue summary, reported and assignee, type and status on certain issue operations when not logged in. For 3.6.3 the solutions was to simply throw an IssuePermissionException when the user doesn't have Browse Issue permission for that issue. Please see that issue for a description of how it was done and what files were touched.
However, it was noted that there were at least four different ways the Issue actions might report this to the user.
- Custom handling in the operation view. Creates a very nice error page with the operation, and friendly error message - http://server/jira/secure/AddComment!default.jspa?id=12345
- "You are not logged in" message with standard Jira banner, user gets redirected to permission-violation page (permissionviolation.jsp), not so friendly, but the user gets the point - http://server/jira/secure/ViewIssue.jspa?id=12345 (note, this page has trackback info)
- "Access Denied" message with big red background, user gets redirected to security-breach page (securitybreach.jsp) with standard Jira banner, not so friendly big red message, user still gets the point - http://server/jira/secure/attachment/12345/logs_jira-int_11_03_2005.txt or the ViewVoters or ManageWatchers urls (no trackback info).
- 500 page catches IssuePermissionException, very, very unfriendly message, lots of nasty logging.
{note}all the Admin pages use the securitybreach.jsp{note}
These need to be standardised so all access denied reports are the same, and it is not possible to view any secure information if you do not have that permission.
While researching JRA-10205 the following was noted:
- IssuePermissionException is handled inconsistently. We need to either throw it from our Action.doValidate(), Action.doExecute() & Action.doDefault() methods or handle it in a consistent manner.
- We probably should handle the standard case in the framework. AbstractIssueSelectAction holds the issueObject, and should be able to handle 99% of the code paths. Attached is a version that does the 99% (doesn't handle the trackback case)
- We could further generify the issue handling of Actions by having them implement some kind of IssueAware interface and have an interceptor of the filter stack read the request parameters and insert the Issue into the action. This could also have a PermissionException injector method as well if the user cannot see an issue. (Please ask Scott for further information, as this is his idea).
- The trackback info is the wrinkle edge-case, we do actually have to provide some issue info in the trackback rdf if enabled.
Final caveat: The permission error page actually DOES HAVE TO HAVE the issue summary in it (if incoming trackbacks are turned on) in the trackback RDF. This currently works if the permissionviolation.jsp is the result (which it is for ViewIssue). We probably need to have a separate TrackbackIssueInfo object that the Issue can give us that is filtered through a trackback policy filter. Then we can have a trackback policy for enabling/disabling trackbacks based on their security (for instance allow trackbacks for public issues only, rinse issue summary from non public issues etc.)
|
|
Description
|
JRA-10205 was reported regarding the displaying of issue summary, reported and assignee, type and status on certain issue operations when not logged in. For 3.6.3 the solutions was to simply throw an IssuePermissionException when the user doesn't have Browse Issue permission for that issue. Please see that issue for a description of how it was done and what files were touched.
However, it was noted that there were at least four different ways the Issue actions might report this to the user.
- Custom handling in the operation view. Creates a very nice error page with the operation, and friendly error message - http://server/jira/secure/AddComment!default.jspa?id=12345
- "You are not logged in" message with standard Jira banner, user gets redirected to permission-violation page (permissionviolation.jsp), not so friendly, but the user gets the point - http://server/jira/secure/ViewIssue.jspa?id=12345 (note, this page has trackback info)
- "Access Denied" message with big red background, user gets redirected to security-breach page (securitybreach.jsp) with standard Jira banner, not so friendly big red message, user still gets the point - http://server/jira/secure/attachment/12345/logs_jira-int_11_03_2005.txt or the ViewVoters or ManageWatchers urls (no trackback info).
- 500 page catches IssuePermissionException, very, very unfriendly message, lots of nasty logging.
{note}all the Admin pages use the securitybreach.jsp{note}
These need to be standardised so all access denied reports are the same, and it is not possible to view any secure information if you do not have that permission.
While researching JRA-10205 the following was noted:
- IssuePermissionException is handled inconsistently. We need to either throw it from our Action.doValidate(), Action.doExecute() & Action.doDefault() methods or handle it in a consistent manner.
- We probably should handle the standard case in the framework. AbstractIssueSelectAction holds the issueObject, and should be able to handle 99% of the code paths. Attached is a version that does the 99% (doesn't handle the trackback case)
- We could further generify the issue handling of Actions by having them implement some kind of IssueAware interface and have an interceptor of the filter stack read the request parameters and insert the Issue into the action. This could also have a PermissionException injector method as well if the user cannot see an issue. (Please ask Scott for further information, as this is his idea).
- The trackback info is the wrinkle edge-case, we do actually have to provide some issue info in the trackback rdf if enabled.
Final caveat: The permission error page actually DOES HAVE TO HAVE the issue summary in it (if incoming trackbacks are turned on) in the trackback RDF. This currently works if the permissionviolation.jsp is the result (which it is for ViewIssue). We probably need to have a separate TrackbackIssueInfo object that the Issue can give us that is filtered through a trackback policy filter. Then we can have a trackback policy for enabling/disabling trackbacks based on their security (for instance allow trackbacks for public issues only, rinse issue summary from non public issues etc.) |
Show » |
|
Bug
JRA-6140for another take on this...