|Anonymous | Login | Signup for a new account||2019-06-18 19:58 UTC|
|Main | My View | View Issues | Change Log | My Account|
|View Issue Details|
|ID||Project||Category||View Status||Date Submitted||Last Update|
|0005804||TestLink||Reports - Failed/Blocked Test Cases||public||2013-07-08 18:22||2013-09-08 17:55|
|Product Version||1.9.7 (2013 Q2 - bug fixing)|
|Fixed in Version||1.9.8 (2013 Q3 - bug fixing)|
|Summary||0005804: Failed Test Cases report shows history on all projects, ignoring Role security|
|Description||I have a user that has been granted permission on ONE test plan only.|
All other test-plans (and there are many) are explicitly given "No Access".
The "Failed Test Cases" report shows execution history for projects which the current user should not have access to (see 'steps to reproduce').
|Steps To Reproduce||1. Click on "Test Reports" in the primary navigation.|
2. The "Test Plan" dropdown only shows the 1 project (so far, so good).
3. Click on the "Failed Test Cases" report.
4. Click on the Execution History icon beside a test result.
5. The entire history is shown for the test-case, which includes results for projects which the user does not have access to. This is a MAJOR security concern.
|Tags||No tags attached.|
|QA Team - Task Workflow Status||TBD|
|testlink version please|
Argh, sorry about that. The version is the latest version 1.9.7.
The database is MySQL.
This is running on a Windows system using XAMPP.
FYI: I did upgrade from v1.9.3 to 1.9.7 by literally installing/upgrading each version in between (1.9.4/5/6) and did NOT do any testing on any of those.
|would you mind to do a simple test on a FRESH 1.9.7 install (i.e. empty db) ?|
I created a new installation, 2 test-cases, assigned to two test-plans and then executed the 4 tests. For each plan 1 test=pass and the other=fail.
I created a user as a "guest". I denied access to "plan1" and allowed guest access to "plan2".
I go to the Failed Test Cases report and I see "testcase1". When I click on the history I do actually see "plan1" and "plan2" in the table. Furthermore, when I expand the NOTES I can actually see/read them.
This is a big problem for me since this would allow one of my customers to see some results of other customer's products and would violate my privacy agreements etc.
Thanks for your assistance. I hope this helps.
Please try with
and provide feedback
If you find TL useful, consider to support our work
Hello, thank you for the provided fix.
I downloaded and installed the new file and tested it and I don't think that this has fixed the problem. I'll try to describe this as best I can.
When my "user" has "guest" role access to TestPlan1 and TestPlan2, the test-case history (TestCase2) shows ONLY the history for TestPlan2.
When my "user" has "no access" to TestPlan1, but "guest" for TestPlan2, then the test-case history (TestCase2) shows ONLY the history for TestPlan2.
When my "user" has "guest" role access to TestPlan1 and "no access" to TestPlan2, then the test-case history (TestCase2) shows the history for TestPlan1.
It seems that TestPlan2 trumps TestPlan1.
Does that make sense?
In my testing I had IE and F/fox open. IE was logged-in with an admin account and F/fox with the user account. As I was manipulating the user role permissions in IE I was simply refreshing the test-case history report in F/fox. I did do a logout/login once, but saw that it made no difference.
anyway to answer to your question is having a detailed test cases, this means
I do this, expect this and get that.
This is not the way note 19236 has been written.
a Quick fix was provided, and I have no provided my scenario => my fault
If important to do test using and specifiyng TEST PLAN PRIVATE / PUBLIC attribute
Below the way I expect to get the reports
1. user UA, "guest" role access to TestPlan1 and TestPlan2, test-case history (TestCase2) is expected to see executions on BOTH test plans.
Actual result: ONLY the history for TestPlan2. KO
2. userA no access" to TestPlan1, "guest" for TestPlan2, then the test-case history (TestCase2) shows ONLY the history for TestPlan2.
Expected = ACTUAL => OK
3. userA GUEST to TestPlan1, NO ACCESS for TestPlan2, then the test-case history (TestCase2) shows ONLY the history for TestPlan1.
Expected = ACTUAL => OK
Please provide better details, regarding PUBLIC attribute of Test Plans.
I will try to provide my scenario
Hello again, I apologize for any information missing that you needed.
Both of my test-plans are ACTIVE and PUBLIC (checkbox=checked).
In your outline of items #1, 2, and 3 I can confirm that items 0000002 and 3 do behave exactly as you've described and in my estimation this is correct behavior.
For item #1 I do expect to see TestPlan1.TestCase2 and TestPlan2.TestCase2 in the "Execution History" screen, but only see TestPlan2.TestCase2 history.
Just to be clear, here are my click-by-click steps:
ADMIN (via IE):
1. Click "Users/Roles"
2. Click "Assign Test Plan Roles"
3. Specify "TestPlan1" for Test Plan.
4. Specify User with "guest" role.
5. Click "Update".
6. Change Test Plan to "TestPlan2"
7. Specify User with "guest" role.
8. Click "Update".
(User now has guest role for TestPlan1 and TestPlan2)
[At this point, TestCase2 has already FAILED in TestPlan1 and TestPlan2]
USER (via F/fox)
[FYI: I do see "TestPlan1" and "TestPlan2" in the Current Test Plan]
1. Click "Test Reports"
2. Click "Failed Test Cases" [Test Plan "TestPlan1" is currently selected]
3. I see TestCase1 in the table => Expected.
4. Click "paper" icon for Execution history.
5. In the report/dialog, I see TestCase2 for TestPlan2 only => Expected to see TestPlan1 and TestPlan2.
Does that help?
I do appreciate your time and assistance. Thank you.
edited on: 2013-07-12 20:23
find error on code.
Tested this way
1. create user userDefaultGuess, with default ROLE GUEST
2. create TestProject CURRY => PUBLIC
3. create Testplan PLAN PUBLIC 100 => PUBLIC
4. create Testplan PLAN PUBLIC 200 => PUBLIC
As you can see NO SPECIFIC role is assigned, then role is INHERITED Guess
5. execute same tests on both test plan
6. access execution history from reports => results from both testplan are displayed
Quick test => some issues => apologize.
get fix and apply.
More test needed. (anyway)
|please retest and provide feedback|
I think that you've fixed it!
I tested the fix on the newly created database and the results I saw matched what I would expect.
I also tested the fix on my actual database, and it too behaved as I would expect.
Thank you so much for the fast turn around. I hope that this helps other people too! :)
|2013-07-08 18:22||N8OPC||New Issue|
|2013-07-08 19:49||fman||Note Added: 0019223|
|2013-07-08 20:22||N8OPC||Note Added: 0019224|
|2013-07-09 12:40||fman||Note Added: 0019225|
|2013-07-09 13:43||N8OPC||Note Added: 0019227|
|2013-07-09 17:46||fman||Product Version||=> 1.9.7 (2013 Q2 - bug fixing)|
|2013-07-09 18:46||fman||Assigned To||=> fman|
|2013-07-09 18:46||fman||Status||new => acknowledged|
|2013-07-11 20:07||fman||Note Added: 0019235|
|2013-07-11 20:07||fman||Relationship added||child of 0005731|
|2013-07-11 20:57||N8OPC||Note Added: 0019236|
|2013-07-12 18:47||fman||Note Added: 0019238|
|2013-07-12 19:26||N8OPC||Note Added: 0019239|
|2013-07-12 20:21||fman||Note Added: 0019240|
|2013-07-12 20:23||fman||Note Edited: 0019240||View Revisions|
|2013-07-12 20:23||fman||Note View State: 0019240: public|
|2013-07-12 20:23||fman||Note Added: 0019241|
|2013-07-12 20:23||fman||Status||acknowledged => feedback|
|2013-07-15 14:39||N8OPC||Note Added: 0019253|
|2013-07-15 14:39||N8OPC||Status||feedback => assigned|
|2013-07-15 15:46||fman||Status||assigned => resolved|
|2013-07-15 15:46||fman||Fixed in Version||=> 1.9.8 (2013 Q3 - bug fixing)|
|2013-07-15 15:46||fman||Resolution||open => fixed|
|2013-09-08 17:55||fman||Note Added: 0019546|
|2013-09-08 17:55||fman||Status||resolved => closed|
|Copyright © 2000 - 2019 MantisBT Team|