MantisBT - TestLink
View Issue Details
0004862TestLinkUsers and Rightspublic2012-01-10 15:442012-09-01 19:59
1.9.3 (2011 Q3 - bug fixing) 
1.9.4 (2012 Q3 - bug fixing) 
IE 8
0004862: Users rights on requirements are bypassed with interproject requirements relations
When a user does not have rights on requirements of project A (guest profile for example), he has possibility to view and even modify a requirement on this project A, when he access it via the relation table of a linked requirement defined in another project B (on which he has requirement view rights)
- configure your server with param $tlCfg->req_cfg->relations->interproject_linking = TRUE;
- define two projects PRJ-1, PRJ-2
- create 2 requirements REQ-1 in PRJ-1, REQ-2 in PRJ-2
- add a relation between REQ-1 and REQ-2
- define a user user1 with default role guest
- assign test project rights for user1 : leader on PRJ-1, guest on PRJ-2
- login with user1 and select project PRJ-2 => user1 can't access requirement specification (this is OK)
- now select PRJ-1 as current project
- select REQ-1 to display it via Requirement Specification
- click on the hypertext link REQ-2 displayed in the relation table of REQ-1
=> user1 access to REQ-2 even for edition, via the dialog window displayed by openLinkedReqWindow() call (this is KO, user1 has no rights to view or edit REQ-2)
TO BE FIXED on 2.0
Issue History
2012-01-10 15:44frlNew Issue
2012-01-10 20:46fmanAssigned To => fman
2012-01-10 20:46fmanStatusnew => assigned
2012-01-11 19:38fmanNote Added: 0016218
2012-01-11 21:04fmanNote Added: 0016219
2012-01-11 21:05fmanTag Attached: TO BE FIXED on 2.0
2012-01-11 21:05fmanStatusassigned => feedback
2012-01-12 16:19frlNote Added: 0016222
2012-01-12 16:19frlStatusfeedback => assigned
2012-01-13 08:35frlNote Edited: 0016222bug_revision_view_page.php?bugnote_id=16222#r1634
2012-01-16 19:01fmanStatusassigned => resolved
2012-01-16 19:01fmanFixed in Version => 1.9.4 (2012 Q3 - bug fixing)
2012-01-16 19:01fmanResolutionopen => fixed
2012-09-01 19:59fmanNote Added: 0017356
2012-09-01 19:59fmanStatusresolved => closed

2012-01-11 19:38   
Think all related requirements (no matter test project they belong to and USER RIGHT on each test project) have to be displayed.
If we do not proceed this way we will generate confusion, because different users will get different views.
User can access always in READONLY Mode req, surelly Read/Write mode has to obey user rights on each test project
2012-01-11 21:04   
1.9.x [^]

please try to port this code to your 1.9.3, test and give us feedback
2012-01-12 16:19   
(edited on: 2012-01-13 08:35)
I agree that the content of relations table must always be the same :
If user1 has rights to view REQ-1, all the relations set for REQ-1 must be displayed, even if user1 has no rights on related requirement (REQ-2).

I tested your code on my platform : Your fix prevents unauthorized edition of REQ-2 by user1 (this was clearly the most important in my opinion)

Nevertheless, he still has access to details of REQ-2 in the popup window, for a project on which he may have no right at all.
So (if possible), I would propose this enhancement to the behaviour :

- If the user does not have any right (view or edition) on the related requirement (REQ-2), display the relation to REQ-2 as a simple label without link or as a link to an error msg window in the Related Requirement column of relation table of REQ-1
=> this way, user1 has only information on the relation itself without seeing the details of REQ-2 and all users have the same view with all relations defined for REQ-1

- If user has view or modify rights on the related req (REQ-2), display the relation to REQ-2 as a link to have possibility to display the dialog window with details of REQ-2, always in read-only mode (as your code do now).

2012-09-01 19:59   
1.9.4 released