Details
-
Bug
-
Resolution: Won't Fix
-
Medium
-
None
-
3.12.3
-
3.12
-
1
-
Severity 1 - Critical
-
0
-
Description
The "Assign Users to Project Role" screen does not check whether the project still exists. In a multi-tab browser, if a user deletes the project in one tab and assigns the user to a project role in another tab for the same project, it does not give warning. Moreover, it makes all projects created afterwards have that user in that project role.
Steps to reproduce:
- From the View project screen (where you can delete project), open "Project role: View members" link in new tab. Click edit users of a project role (e.g., Developer).
- Delete the project with the View project screen
- In the "Assign Users to Project Role: Developer" screen, add an arbitrary user to project role. There is no warning/error that project has been deleted.
- Create a new project. Check the project role members. The user is already a member even though the project is newly created.
The problem is that the UserRoleActorAction is re-used for setting both a project's role actors as well as the default role actors. If getProject() == null then it will add the user to the default project roles, which can be the case if an projectId was used of a deleted project. To fix this we should either:
- Fix up the logic in the action such that we only update the default roles if the projectId was null. If the projectId is set, we should try to retrieve a project and if none can be found an error should be thrown!
- Separate the logic into 2 web-actions for setting a project's role members and for setting the default project role members.
If this is affecting you, simply go the the Project Role Browser in the admin section and update the default role memberships to stop new projects from having incorrect default role members.