Loading...

XML

Word

Printable

Details

Type: Suggestion
Resolution: Unresolved
Fix Version/s: None
Component/s: User interface
Labels:
None

UIS:
38
Feedback Policy:

Our product teams collect and evaluate feedback from a number of different sources. To learn more about how we use customer feedback in the planning process, check out our new feature policy.

Description

If you add someone to a review, Crucible checks whether the user has permission to be added but does not check whether the user has permission to see the underlying repository.

(Hopefully, there is a check on the author adding revisions to the review that at least they have permission to see those revisions!)

Thus someone can be added to a review and see the content of the files in the review.

More subtly, the same happens when a patch review anchors - the reviewers can see the full context of the files that have anchored, where the author may not be aware of this.

Potential solutions? A total rethink of permissions in FECru, with projects becoming the top-level items in FishEye Repositories becoming part of projects. Permissions all project based.

Workaround

By default, Crucible project caches content of files added from Fisheye repository. You can disable this option in Administration > Projects > Edit project > 'Store the contents of files in reviews'. When disabled, Crucible will always call Fisheye to fetch file content when reviewing. During this fetch, repository permissions are respected.

Attachments

Issue Links

relates to

CRUC-7773 Blame button enabled for users who don't have repository read access

Closed

mentioned in: Page Loading...

Activity

People

Assignee:: Unassigned

Reporter:: mwatson

Votes:: 5 Vote for this issue

Watchers:: 6 Start watching this issue

Dates

Created:: 21/Feb/2011 11:19 PM

Updated:: 15/Nov/2018 11:57 AM