Mantis Bugtracker          
testlink.org

View Issue Details Jump to Notes ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0006529TestLinkAPI - XMLRPCpublic2014-08-21 09:032014-09-27 16:42
ReporterMr.Bricodage 
Assigned Tofman 
PrioritynormalSeveritymajorReproducibilityalways
StatusclosedResolutionfixed 
PlatformOSOS Version
Product Version1.9.11 (2014 Q2 - bug fixing) 
Fixed in Version1.9.12 (2014 Q3) 
Summary0006529: User Rights Verification using XML-RPC when uploading attachments
DescriptionContext : I want to upload TestCase Attachment and Execution Attachment via XML-RPC.
I use the API key of a user that is defined with 'no rights' in the 'global' "user details" view and with 'admin' in a sandbox project ("Assign Test Project Roles").

I can upload attachments in my SandBox project with TestLink GUI, but I can't upload attachments in my SandBox project with XML-RPC. The XML response is :

<?xml version="1.0"?>
<methodResponse>
  <params>
    <param>
      <value>
        <array><data>
  <value><struct>
  <member><name>code</name><value><int>2010</int></value></member>
  <member><name>message</name><value><string>User corresponding to Developer Key has insufficient rights to perform this action- Details: right mgt_view_tc, test project id: 0, test plan id: </string></value></member>
</struct></value>
</data></array>
      </value>
    </param>
  </params>
</methodResponse>


If I modify my global autorisation (in the "user details" view) to "guest" or any others predefined role, upload is OK

<?xml version="1.0"?>
<methodResponse>
  <params>
    <param>
      <value>
        <struct>
  <member><name>fk_id</name><value><string>293503</string></value></member>
  <member><name>fk_table</name><value><string>nodes_hierarchy</string></value></member>
  <member><name>title</name><value><string>littleTxtFile.txt</string></value></member>
  <member><name>description</name><value><string></string></value></member>
  <member><name>file_name</name><value><string>littleTxtFile.txt</string></value></member>
  <member><name>file_size</name><value><int>11</int></value></member>
  <member><name>file_type</name><value><string></string></value></member>
</struct>
      </value>
    </param>
  </params>
</methodResponse>


IMHO, the comportement is wrong for 2 reasons :
1- XML-RPC should check user rights for the specified project, not in a 'global' view. (seems to be corrected for "reportTCresult" via 0005063)
2- A user should upload an attachment via XML-RPC only if he can do it via GUI. This is not true today, cause a 'global' "guest" user can only view a testcase using GUI but can upload an attachment via XML-RPC. According to information provided when upload is refused, the test seems to be 'right mgt_view_tc' and may be something like 'right mgt_edit_tc'.
Steps To ReproduceFor the 1- :
a- Create a user with default <no rights>. Then give him <leader> rights on one of the testlink projects. Now try to upload a file using the API. This will fail.
b- Change the default rights of the user to <leader> and do the same. In this case the result will be uploaded.

For the 2- :
a- Create a user with default <guest>. Then give him <guest> rights on one of the testlink projects.
b- Try to upload a file using the API. This will upload even if the guest profile can't edit testcases.
TagsNo tags attached.
Database (MySQL,Postgres,etc)MySQL
Browser
PHP Version
TestCaseID
QA Team - Task Workflow StatusREADY FOR TESTING
Attached Files

- Relationships

-  Notes
(0021504)
fman (administrator)
2014-08-21 09:14

Thanks for detailed analisys, I'm going to check
(0021506)
fman (administrator)
2014-08-21 09:38

1. one of the issues is right that is checked => mgt_view_tc (WRONG) has to be mgt_modify_tc

other issue is that test project was not setted (0 on message => use global).
(0021507)
fman (administrator)
2014-08-21 09:46

First fix (only for uploadTestCaseAttachment())
https://gitorious.org/testlink-ga/testlink-code/commit/10f57e7d4f5cc9d3f9affe41b47d1ca74055f7af [^]

please test and provide feedback
(0021511)
Mr.Bricodage (updater)
2014-08-26 14:17
edited on: 2014-08-26 14:23

Feedback about your code modification :

Upload with a api key of a user that can't upload through GUI :
<?xml version="1.0"?>
<methodResponse>
  <params>
    <param>
      <value>
        <array><data>
  <value><struct>
  <member><name>code</name><value><int>2010</int></value></member>
  <member><name>message</name><value><string>User corresponding to Developer Key has insufficient rights to perform this action- Details: right mgt_modify_tc, test project id: 34, test plan id: </string></value></member>
</struct></value>
</data></array>
      </value>
    </param>
  </params>
</methodResponse>

Upload with a api key of a user that can upload through GUI :
<?xml version="1.0"?>
<methodResponse>
  <params>
    <param>
      <value>
        <struct>
  <member><name>fk_id</name><value><string>293466</string></value></member>
  <member><name>fk_table</name><value><string>nodes_hierarchy</string></value></member>
  <member><name>title</name><value><string>littleTxtFile.txt</string></value></member>
  <member><name>description</name><value><string></string></value></member>
  <member><name>file_name</name><value><string>littleTxtFile.txt</string></value></member>
  <member><name>file_size</name><value><int>11</int></value></member>
  <member><name>file_type</name><value><string></string></value></member>
</struct>
      </value>
    </param>
  </params>
</methodResponse>

==> Works fine!


"other issue is that test project was not setted (0 on message => use global)."
setted by Testlink API? Cause the XML-RPC request must not provide the test project when uploading via XML-RPC.


The 2 problems are solved (for "uploadTestCaseAttachment") by your code modification, because I can't generate anymore the "test project id: 0" error using the new xmlrpc.class.php file.

Great job ;-)
Thanks!

(0021718)
fman (administrator)
2014-09-27 16:42

Release done

- Issue History
Date Modified Username Field Change
2014-08-21 09:03 Mr.Bricodage New Issue
2014-08-21 09:14 fman Note Added: 0021504
2014-08-21 09:38 fman Note Added: 0021506
2014-08-21 09:46 fman Note Added: 0021507
2014-08-21 09:47 fman Assigned To => fman
2014-08-21 09:47 fman Status new => feedback
2014-08-26 14:17 Mr.Bricodage Note Added: 0021511
2014-08-26 14:17 Mr.Bricodage Status feedback => assigned
2014-08-26 14:23 Mr.Bricodage Note Edited: 0021511 View Revisions
2014-08-26 14:32 fman QA Team - Task Workflow Status => READY FOR TESTING
2014-08-26 14:32 fman Status assigned => resolved
2014-08-26 14:32 fman Fixed in Version => 1.9.12 (2014 Q3)
2014-08-26 14:32 fman Resolution open => fixed
2014-09-27 16:42 fman Note Added: 0021718
2014-09-27 16:42 fman Status resolved => closed



Copyright © 2000 - 2018 MantisBT Team
Powered by Mantis Bugtracker