Mantis Bugtracker          
testlink.org

View Issue Details Jump to Notes ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0005804TestLinkReports - Failed/Blocked Test Casespublic2013-07-08 18:222013-09-08 17:55
ReporterN8OPC 
Assigned Tofman 
PrioritynormalSeveritymajorReproducibilityalways
StatusclosedResolutionfixed 
PlatformOSOS Version
Product Version1.9.7 (2013 Q2 - bug fixing) 
Fixed in Version1.9.8 (2013 Q3 - bug fixing) 
Summary0005804: Failed Test Cases report shows history on all projects, ignoring Role security
DescriptionI have a user that has been granted permission on ONE test plan only.
All other test-plans (and there are many) are explicitly given "No Access".
The "Failed Test Cases" report shows execution history for projects which the current user should not have access to (see 'steps to reproduce').
Steps To Reproduce1. Click on "Test Reports" in the primary navigation.
2. The "Test Plan" dropdown only shows the 1 project (so far, so good).
3. Click on the "Failed Test Cases" report.
4. Click on the Execution History icon beside a test result.
5. The entire history is shown for the test-case, which includes results for projects which the user does not have access to. This is a MAJOR security concern.
TagsNo tags attached.
Database (MySQL,Postgres,etc)MySQL
BrowserIE 10.0.9200-16618
PHP Version
TestCaseID
QA Team - Task Workflow StatusTBD
Attached Files

- Relationships
child of 0005731closedfman Availables hot-fixes for 1.9.7 & How To get full fixed package from gitorious 

-  Notes
(0019223)
fman (administrator)
2013-07-08 19:49

testlink version please
(0019224)
N8OPC (reporter)
2013-07-08 20:22

Argh, sorry about that. The version is the latest version 1.9.7.
The database is MySQL.
This is running on a Windows system using XAMPP.

FYI: I did upgrade from v1.9.3 to 1.9.7 by literally installing/upgrading each version in between (1.9.4/5/6) and did NOT do any testing on any of those.
(0019225)
fman (administrator)
2013-07-09 12:40

would you mind to do a simple test on a FRESH 1.9.7 install (i.e. empty db) ?
(0019227)
N8OPC (reporter)
2013-07-09 13:43

I created a new installation, 2 test-cases, assigned to two test-plans and then executed the 4 tests. For each plan 1 test=pass and the other=fail.

I created a user as a "guest". I denied access to "plan1" and allowed guest access to "plan2".

I go to the Failed Test Cases report and I see "testcase1". When I click on the history I do actually see "plan1" and "plan2" in the table. Furthermore, when I expand the NOTES I can actually see/read them.

This is a big problem for me since this would allow one of my customers to see some results of other customer's products and would violate my privacy agreements etc.

Thanks for your assistance. I hope this helps.
(0019235)
fman (administrator)
2013-07-11 20:07

Please try with

http://gitorious.org/testlink-ga/testlink-code/commit/2de8503d95aed7be30c2591d6c0979f887b77be7 [^]

and provide feedback

If you find TL useful, consider to support our work
(0019236)
N8OPC (reporter)
2013-07-11 20:57

Hello, thank you for the provided fix.

I downloaded and installed the new file and tested it and I don't think that this has fixed the problem. I'll try to describe this as best I can.

TestPlan1.TestCase1=pass
TestPlan1.TestCase2=fail
TestPlan2.TestCase1=pass
TestPlan2.TestCase2=fail

When my "user" has "guest" role access to TestPlan1 and TestPlan2, the test-case history (TestCase2) shows ONLY the history for TestPlan2.

When my "user" has "no access" to TestPlan1, but "guest" for TestPlan2, then the test-case history (TestCase2) shows ONLY the history for TestPlan2.

When my "user" has "guest" role access to TestPlan1 and "no access" to TestPlan2, then the test-case history (TestCase2) shows the history for TestPlan1.

It seems that TestPlan2 trumps TestPlan1.

Does that make sense?
In my testing I had IE and F/fox open. IE was logged-in with an admin account and F/fox with the user account. As I was manipulating the user role permissions in IE I was simply refreshing the test-case history report in F/fox. I did do a logout/login once, but saw that it made no difference.
(0019238)
fman (administrator)
2013-07-12 18:47

anyway to answer to your question is having a detailed test cases, this means
I do this, expect this and get that.
This is not the way note 19236 has been written.

a Quick fix was provided, and I have no provided my scenario => my fault
If important to do test using and specifiyng TEST PLAN PRIVATE / PUBLIC attribute

Below the way I expect to get the reports

1. user UA, "guest" role access to TestPlan1 and TestPlan2, test-case history (TestCase2) is expected to see executions on BOTH test plans.
Actual result: ONLY the history for TestPlan2. KO


2. userA no access" to TestPlan1, "guest" for TestPlan2, then the test-case history (TestCase2) shows ONLY the history for TestPlan2.
Expected = ACTUAL => OK

3. userA GUEST to TestPlan1, NO ACCESS for TestPlan2, then the test-case history (TestCase2) shows ONLY the history for TestPlan1.
Expected = ACTUAL => OK


Please provide better details, regarding PUBLIC attribute of Test Plans.

I will try to provide my scenario
(0019239)
N8OPC (reporter)
2013-07-12 19:26

Hello again, I apologize for any information missing that you needed.

Both of my test-plans are ACTIVE and PUBLIC (checkbox=checked).

In your outline of items #1, 2, and 3 I can confirm that items 0000002 and 3 do behave exactly as you've described and in my estimation this is correct behavior.

For item #1 I do expect to see TestPlan1.TestCase2 and TestPlan2.TestCase2 in the "Execution History" screen, but only see TestPlan2.TestCase2 history.

Just to be clear, here are my click-by-click steps:

ADMIN (via IE):
 1. Click "Users/Roles"
 2. Click "Assign Test Plan Roles"
 3. Specify "TestPlan1" for Test Plan.
 4. Specify User with "guest" role.
 5. Click "Update".
 6. Change Test Plan to "TestPlan2"
 7. Specify User with "guest" role.
 8. Click "Update".
(User now has guest role for TestPlan1 and TestPlan2)

[At this point, TestCase2 has already FAILED in TestPlan1 and TestPlan2]


USER (via F/fox)
 [FYI: I do see "TestPlan1" and "TestPlan2" in the Current Test Plan]
 1. Click "Test Reports"
 2. Click "Failed Test Cases" [Test Plan "TestPlan1" is currently selected]
 3. I see TestCase1 in the table => Expected.
 4. Click "paper" icon for Execution history.
 5. In the report/dialog, I see TestCase2 for TestPlan2 only => Expected to see TestPlan1 and TestPlan2.


Does that help?
I do appreciate your time and assistance. Thank you.
(0019240)
fman (administrator)
2013-07-12 20:21
edited on: 2013-07-12 20:23

find error on code.
Tested this way
1. create user userDefaultGuess, with default ROLE GUEST
2. create TestProject CURRY => PUBLIC
3. create Testplan PLAN PUBLIC 100 => PUBLIC
4. create Testplan PLAN PUBLIC 200 => PUBLIC

As you can see NO SPECIFIC role is assigned, then role is INHERITED Guess

5. execute same tests on both test plan
6. access execution history from reports => results from both testplan are displayed

Quick test => some issues => apologize.

get fix and apply.
http://gitorious.org/testlink-ga/testlink-code/commit/eb414796b7bf9408cdcdc81cbe0fee83e32ca6cb [^]

More test needed. (anyway)

(0019241)
fman (administrator)
2013-07-12 20:23

please retest and provide feedback
(0019253)
N8OPC (reporter)
2013-07-15 14:39

I think that you've fixed it!

I tested the fix on the newly created database and the results I saw matched what I would expect.

I also tested the fix on my actual database, and it too behaved as I would expect.

Thank you so much for the fast turn around. I hope that this helps other people too! :)
(0019546)
fman (administrator)
2013-09-08 17:55

1.9.8 released

- Issue History
Date Modified Username Field Change
2013-07-08 18:22 N8OPC New Issue
2013-07-08 19:49 fman Note Added: 0019223
2013-07-08 20:22 N8OPC Note Added: 0019224
2013-07-09 12:40 fman Note Added: 0019225
2013-07-09 13:43 N8OPC Note Added: 0019227
2013-07-09 17:46 fman Product Version => 1.9.7 (2013 Q2 - bug fixing)
2013-07-09 18:46 fman Assigned To => fman
2013-07-09 18:46 fman Status new => acknowledged
2013-07-11 20:07 fman Note Added: 0019235
2013-07-11 20:07 fman Relationship added child of 0005731
2013-07-11 20:57 N8OPC Note Added: 0019236
2013-07-12 18:47 fman Note Added: 0019238
2013-07-12 19:26 N8OPC Note Added: 0019239
2013-07-12 20:21 fman Note Added: 0019240
2013-07-12 20:23 fman Note Edited: 0019240 View Revisions
2013-07-12 20:23 fman Note View State: 0019240: public
2013-07-12 20:23 fman Note Added: 0019241
2013-07-12 20:23 fman Status acknowledged => feedback
2013-07-15 14:39 N8OPC Note Added: 0019253
2013-07-15 14:39 N8OPC Status feedback => assigned
2013-07-15 15:46 fman Status assigned => resolved
2013-07-15 15:46 fman Fixed in Version => 1.9.8 (2013 Q3 - bug fixing)
2013-07-15 15:46 fman Resolution open => fixed
2013-09-08 17:55 fman Note Added: 0019546
2013-09-08 17:55 fman Status resolved => closed



Copyright © 2000 - 2018 MantisBT Team
Powered by Mantis Bugtracker