Details
-
Suggestion
-
Resolution: Unresolved
-
None
-
None
-
38
-
Description
If you add someone to a review, Crucible checks whether the user has permission to be added but does not check whether the user has permission to see the underlying repository.
(Hopefully, there is a check on the author adding revisions to the review that at least they have permission to see those revisions!)
Thus someone can be added to a review and see the content of the files in the review.
More subtly, the same happens when a patch review anchors - the reviewers can see the full context of the files that have anchored, where the author may not be aware of this.
Potential solutions? A total rethink of permissions in FECru, with projects becoming the top-level items in FishEye Repositories becoming part of projects. Permissions all project based.
Workaround
By default, Crucible project caches content of files added from Fisheye repository. You can disable this option in Administration > Projects > Edit project > 'Store the contents of files in reviews'. When disabled, Crucible will always call Fisheye to fetch file content when reviewing. During this fetch, repository permissions are respected.