Mantis Bugtracker          
testlink.org

View Issue Details Jump to Notes ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0007399TestLinkAPI - XMLRPCpublic2016-01-05 15:022016-09-08 15:13
Reporteratisne 
Assigned Tofman 
PrioritynormalSeveritymajorReproducibilityhave not tried
StatusclosedResolutionfixed 
PlatformGFASOSCentOS/RedHatOS Version5
Product Version1.9.14 (2015 Q3) 
Fixed in Version1.9.15 (2015 Q4) 
Summary0007399: Issue in permission check when creating a test suite via the XMLRPC API
DescriptionThis piece of code seems suspicious:

extract of lib/api/xmlrpc/v1/xmlrpc.class.php

...
1 public function createTestSuite($args)
2 {
3 $result=array();
4 $this->_setArgs($args);
5 $operation=__FUNCTION__;
6 $msg_prefix="({$operation}) - ";
7 $checkFunctions = array('authenticate','checkTestSuiteName','checkTestProjectID');
8 $status_ok = $this->_runChecks($checkFunctions,$msg_prefix);
9
10 // When working on PRIVATE containers, globalRole Admin is ENOUGH
11 // because this is how TestLink works when this action is done on GUI
12 if( $status_ok && $this->user->globalRole->dbID != TL_ROLES_ADMIN)
13 {
14 if( $this->userHasRight("mgt_modify_tc",self::CHECK_PUBLIC_PRIVATE_ATTR) )
15 {
16 $status_ok = true;
17 }
18 }
...

To enter in the first if statement (11), $status_ok must be true.
After the second if statement (13), $status_ok will be true in any case, especially, even if user has not 'modify TC' right.

Should we not rather write the second if as follow?

14 if( ! $this->userHasRight("mgt_modify_tc",self::CHECK_PUBLIC_PRIVATE_ATTR) )
15 {
16 $status_ok = false;
17 }

or simplier

14 $status_ok = $this->userHasRight("mgt_modify_tc",self::CHECK_PUBLIC_PRIVATE_ATTR) )
TagsNo tags attached.
Database (MySQL,Postgres,etc)Postgresql
Browser
PHP VersionPHP 5.4.45
TestCaseID
QA Team - Task Workflow StatusREADY FOR TESTING
Attached Files

- Relationships
child of 0007262closedfman Availables hot-fixes for 1.9.14 & How To get full fixed package from GitHub 

-  Notes
(0024386)
fman (administrator)
2016-01-05 19:03

Please provide an issue detail, explaining what is the issue, and the steps to reproduce BEFORE THE CHANGE.

Then provide change to be done, and evidence that tests are passed
(0024390)
atisne (reporter)
2016-01-06 10:01

Issue: A user, non admin, without mgt_modify_tc privilege will be able to create a test suite using the XMLRPC API.

Steps to reproduce:
1- write a script using the XMLRCP API that create a test suite
2- use this script with use a user, non admin, without the mgt_modify_tc privilege
-> the test case will be created whereas the user is not allowed
(0024395)
fman (administrator)
2016-01-09 09:17

Would you mind to get
https://github.com/TestLinkOpenSourceTRMS/testlink-code/commit/9e176c4d0d91196fa7790ebdad121845c266fbd3 [^]

retest and confirm is fixed?

regards
(0024402)
atisne (reporter)
2016-01-11 16:55

The fix is OK.
(0025293)
fman (administrator)
2016-09-08 15:13

1.9.15 Released - 2016-09-08

- Issue History
Date Modified Username Field Change
2016-01-05 15:02 atisne New Issue
2016-01-05 19:03 fman Note Added: 0024386
2016-01-05 19:04 fman Assigned To => fman
2016-01-05 19:04 fman Status new => feedback
2016-01-06 10:01 atisne Note Added: 0024390
2016-01-06 10:01 atisne Status feedback => assigned
2016-01-09 09:17 fman Note Added: 0024395
2016-01-09 09:17 fman Status assigned => feedback
2016-01-09 09:17 fman QA Team - Task Workflow Status => TBD
2016-01-09 09:17 fman Relationship added child of 0007262
2016-01-11 16:55 atisne Note Added: 0024402
2016-01-11 16:55 atisne Status feedback => assigned
2016-01-11 18:56 fman QA Team - Task Workflow Status TBD => READY FOR TESTING
2016-01-11 18:56 fman Status assigned => resolved
2016-01-11 18:56 fman Fixed in Version => 1.9.15 (2015 Q4)
2016-01-11 18:56 fman Resolution open => fixed
2016-09-08 15:13 fman Note Added: 0025293
2016-09-08 15:13 fman Status resolved => closed



Copyright © 2000 - 2018 MantisBT Team
Powered by Mantis Bugtracker