Mantis Bugtracker          
testlink.org

View Issue Details Jump to Notes ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0006213TestLinkAPI - XMLRPCpublic2014-02-18 14:022014-04-25 17:38
Reporterserious_sam 
Assigned Tofman 
PrioritynormalSeverityminorReproducibilityalways
StatusclosedResolutionfixed 
PlatformOSOS Version
Product Version1.9.9 (2013 Q4 - bug fixing) 
Fixed in Version1.9.10 (2014 Q1 - bug fixing) 
Summary0006213: Test plan access rights not checked on API - XMLRPC
DescriptionIt is possible to access a non public test plan created by different user. Plans which are not owned by the user are not visible in GUI but still accessible using API.
Steps To Reproduce1. Create user1, user2
2. user1 creates a non public test plan 'plan1'
3. user2 creates a non public test plan 'plan2'
4. user2 can access plan1 using user2's devkey
5. user1 can access plan2 using user1's devkey
TagsNo tags attached.
Database (MySQL,Postgres,etc)MySQL
Browser
PHP Version
TestCaseID
QA Team - Task Workflow StatusTBD
Attached Fileslog file icon TL-Dev_utest-online.log [^] (6,028 bytes) 2014-03-09 19:13
png file icon rights_super_tester_TL199.PNG [^] (49,036 bytes) 2014-03-09 20:13


png file icon rights_super_tester_TL1910.PNG [^] (53,206 bytes) 2014-03-09 20:13


log file icon TL-Dev_utest-online_20140315.log [^] (218 bytes) 2014-03-15 21:48
log file icon TL-Dev_TestLinkExampleGenericApi_20140304.log [^] (25,196 bytes) 2014-03-15 21:48
log file icon TL-Dev_TestLinkExampleGenericApi_20140309.log [^] (7,372 bytes) 2014-03-15 21:48
log file icon TL-Dev_TestLinkExampleGenericApi_20140315.log [^] (26,341 bytes) 2014-03-15 21:49

- Relationships
child of 0006048closedfman Availables hot-fixes for 1.9.9 & How To get full fixed package from gitorious 

-  Notes
(0020547)
fman (administrator)
2014-03-08 19:23

Can you give a try with this changes and provide feedback ?

https://gitorious.org/testlink-ga/testlink-code/commit/555409fb23f75ec7d1af16e7827244ede6b2eb45 [^]
(0020554)
lczub (reporter)
2014-03-09 16:07

Hello fman,
I think your latest gitorious change 555409f is too restricted.
Currently it is not possible to create new projects via the xmlrpc api:

1. call createTestProject() with
   testprojectname = 'Proj-A'; notes = 'test create new project';
   testcaseprefix = 'P-A'

=> api returns error message: 2010
User corresponding to Developer Key has insufficient rights to perform this action- Details: right mgt_modify_product, test project id: 0, test plan id:

With gitorious code from 04.03.2014, the user was able to create new test projects.




my test users could not create a new testis not able
(0020555)
fman (administrator)
2014-03-09 17:23

ok will test more. Thanks
(0020556)
fman (administrator)
2014-03-09 17:45
edited on: 2014-03-09 17:52

1. create test project with user with admin role => (expected OK) => got OK
2. create test project with user with guest role => (expected KO) => got KO

(0020557)
fman (administrator)
2014-03-09 17:58
edited on: 2014-03-09 18:03

1. Create Public Test Project
2. Create private Test Plan
3. Create public Test Plan

user admin with ROLE ADMIN, HAS NO SPECIFIC ROLE on PRIVATE TEST PLAN.
user onlypublic has only access to public test plan (inherited LEADER)

1. add test case to PRIVATE test plan, user onlypublic => get error message => OK
2. add test case to PUBLIC test plan, user onlypublic => DONE => OK

(0020558)
fman (administrator)
2014-03-09 18:05

1. Create PRIVATE TEST PROJECT
2. Create PUBLIC TEST PLAN insider PRIVATE TEST PROJECT

user admin with ROLE ADMIN, HAS NO SPECIFIC ROLE on PRIVATE TEST PLAN.
user onlypublic has NO ROLE ON TEST PROJECT.
(0020559)
fman (administrator)
2014-03-09 18:10

https://gitorious.org/testlink-ga/testlink-code/commit/1d3944d1ce4d0d6e3899e6ac79c073ffa7c60a12 [^]

please retest (see previous notes with test done)
(0020560)
lczub (reporter)
2014-03-09 19:22
edited on: 2014-03-09 20:17

createTestProject() works now, but createTestPlan() for this new created project fails. the user has special "super tester" rights. (see attachments rights_super_tester_TL199.PNG vs. rights_super_tester_TL1910.PNG, TL Dev1.9.10 runs on psql 9.2)

You find in the attachment TL-Dev_utest-online.log several other api methods, which have now a different failure behaviour, when the api method asked for an unknown testproject/testplan/testcase id.

before your change, a topic specific error code (testplan, testproject, platform, testcase) occurs. Now the system always returns the "2010" error message.

(0020561)
fman (administrator)
2014-03-09 22:12
edited on: 2014-03-09 22:59

I need to do more deep checks.
Stay tunned, thanks for your help.

(0020587)
fman (administrator)
2014-03-15 08:37

Would you mind get latest code and repeat tests ?

best regards
(0020593)
lczub (reporter)
2014-03-15 16:48

retest with latest gitorious change 4ee0847 are successfull
- super tester could now again create test projects with plans, platforms, cases and results via the api.
- failure behaviour "unkownID" of api methods are now equal to state before your 0006213 changes
(0020594)
fman (administrator)
2014-03-15 17:56

Thanks again for your help.
Because I've really not enough time I need to ask you to provide me more details

>> super tester could now again create test projects with plans,
>> platforms, cases and results via the api.
does this means is OK ?

>> - failure behaviour "unkownID" of api methods are now equal
>> to state before your 0006213 changes
Can you provide before and after results ?

regards
(0020595)
lczub (reporter)
2014-03-15 21:58

Yes it is ok.
You find in the attachments some logs of my tests:
- before change: TL-Dev_TestLinkExampleGenericApi_20140304.log
- buggy change: TL-Dev_utest-online.log + TL-Dev_TestLinkExampleGenericApi_20140309.log
- current ok change: TL-Dev_utest-online_20140315.log + TL-Dev_TestLinkExampleGenericApi_20140315.log
(0020596)
fman (administrator)
2014-03-16 08:44

Thanks
(0020599)
fman (administrator)
2014-03-16 17:39

Unfortunately I found the log you provide too complex to read to understand where there error are.
I need a simpler thing just something like:
FAILED METHOD - Expected Result - Actual result.

File.
TL-Dev_utest-online_20140315.log has no useful info

The best info is provided on TL-Dev_utest-online.log

May be if you just explain in simple words what unknownID means in this contexts
thing will be easier to fix

thanks again
(0020603)
lczub (reporter)
2014-03-17 14:31

a) I think, the failure descriptions, you are interested in are already given in comments 6213#c20560 and 6213#c20554.
The important list of "failed" api calls is documented in the unit test log file TL-Dev_utest-online.log

b) useful info of unit test log file TL-Dev_utest-online_20140315.log is, that the failures, detected with TL-Dev_utest-online.log, no longer occurs.

infos about tested api calls - see https://github.com/lczub/TestLink-API-Python-client/blob/v0.4.8/test/utest-online/testlinkapigeneric_online_test.py [^]

c) TL-Dev_TestLinkExampleGenericApi_*.log are outputs of an example script, how a test project could be build up with api calls in python.

Logs *_0304.log and *_0315.log shows, that no error (traceback in python) occurs before and after your change.
Log *_0309 shows, that the process stops with an error in the step "createTestProject" with your change under development (state 20140309).

infos about used api calls - see https://github.com/lczub/TestLink-API-Python-client/blob/v0.4.8/example/TestLinkExampleGenericApi.py [^]

Sorry, but I have currently also no time to translate these automatic scripts into a human readable text. From the scope of TestLink-API-Python-client, the TestLink XMLRPC API is now again working well.

If you are interested in setting up repeatable Robot Framework tests for TestLinks XMLRPC-API, let us talk outside this issue.
(0020803)
fman (administrator)
2014-04-25 17:38

1.9.10 released

- Issue History
Date Modified Username Field Change
2014-02-18 14:02 serious_sam New Issue
2014-03-04 17:32 fman QA Team - Task Workflow Status => TBD
2014-03-04 17:32 fman Summary Test plan access rights => Test plan access rights not checked on API - XMLRPC
2014-03-08 19:23 fman Assigned To => fman
2014-03-08 19:23 fman Status new => assigned
2014-03-08 19:23 fman Note Added: 0020547
2014-03-08 19:24 fman Status assigned => feedback
2014-03-08 19:24 fman Relationship added child of 0006048
2014-03-09 16:07 lczub Note Added: 0020554
2014-03-09 17:23 fman Note Added: 0020555
2014-03-09 17:45 fman Note Added: 0020556
2014-03-09 17:52 fman Note Edited: 0020556 View Revisions
2014-03-09 17:58 fman Note Added: 0020557
2014-03-09 18:03 fman Note Edited: 0020557 View Revisions
2014-03-09 18:05 fman Note Added: 0020558
2014-03-09 18:10 fman Note Added: 0020559
2014-03-09 18:10 fman Note View State: 0020556: public
2014-03-09 18:10 fman Note View State: 0020557: public
2014-03-09 18:10 fman Note View State: 0020558: public
2014-03-09 19:13 lczub File Added: TL-Dev_utest-online.log
2014-03-09 19:22 lczub Note Added: 0020560
2014-03-09 20:12 lczub Note Edited: 0020560 View Revisions
2014-03-09 20:13 lczub File Added: rights_super_tester_TL199.PNG
2014-03-09 20:13 lczub File Added: rights_super_tester_TL1910.PNG
2014-03-09 20:17 lczub Note Edited: 0020560 View Revisions
2014-03-09 22:12 fman Note Added: 0020561
2014-03-09 22:59 fman Note Edited: 0020561 View Revisions
2014-03-09 22:59 fman Note View State: 0020561: public
2014-03-15 08:37 fman Note Added: 0020587
2014-03-15 16:48 lczub Note Added: 0020593
2014-03-15 17:56 fman Note Added: 0020594
2014-03-15 21:48 lczub File Added: TL-Dev_utest-online_20140315.log
2014-03-15 21:48 lczub File Added: TL-Dev_TestLinkExampleGenericApi_20140304.log
2014-03-15 21:48 lczub File Added: TL-Dev_TestLinkExampleGenericApi_20140309.log
2014-03-15 21:49 lczub File Added: TL-Dev_TestLinkExampleGenericApi_20140315.log
2014-03-15 21:58 lczub Note Added: 0020595
2014-03-16 08:44 fman Note Added: 0020596
2014-03-16 17:39 fman Note Added: 0020599
2014-03-17 14:31 lczub Note Added: 0020603
2014-04-25 14:46 fman Fixed in Version => 1.9.10 (2014 Q1 - bug fixing)
2014-04-25 14:46 fman Status feedback => resolved
2014-04-25 14:46 fman Resolution open => fixed
2014-04-25 17:38 fman Note Added: 0020803
2014-04-25 17:38 fman Status resolved => closed



Copyright © 2000 - 2018 MantisBT Team
Powered by Mantis Bugtracker