[webcommittee][SC56][Move/Copy] Fix failed ServerAdmin unit tests under Linux

Jason Birch Jason.Birch at nanaimo.ca
Mon Oct 2 10:20:15 EDT 2006


I believe that this was an account that was set up by Daniel.  I certainly haven't got into the CollabNet permissions system far enough to figure this out.
 
The issue is that the project tracker for the website needs to allow users to submit problems without having to sign up first; it is too much of an impediment.
 
This has happenned a couple times in the past.  I wonder if a spider is hitting a link.  If so, perhaps a robots.txt file would help.
 
Jason
 

________________________________

From: Auke Jilderda [mailto:auke at collab.net]
Sent: Mon 2006-10-02 1:24 AM
To: Robert Bray; dev at webcommittee.osgeo.org
Cc: Andrew Kelly; issues at webcommittee.osgeo.org
Subject: RE: [webcommittee][SC56][Move/Copy] Fix failed ServerAdmin unit tests under Linux



Gentlemen,

I looked into what happened with SC56 being copied by a guest user.

The webcommittee project has granted both the user group "*Domain Users"
(basically all registered users) and the "guest" user the
"webcommittee.guest for issue tracker" (project specific) role.  This
role defined among others the following permissions:
    Project Issue Tracking - Add Comment  All applicable resources: .*
    Project Issue Tracking - Assignable   All applicable resources: .*
    Project Issue Tracking - Attach File  All applicable resources: .*
    Project Issue Tracking - Query        All applicable resources: .*
    Project Issue Tracking - Submit       All applicable resources: .*

In OSGeo.org, an anonymous user's permissions are defined via using the
guest user account.  By granting this user this role, the webcommittee
allows anonymous users to submit new artifacts (both instantiating from
scratch or copying it from another, existing artifact).  Hence, the
system allows what it is told to allow.

I suggest revoking this role from the guest account and only allow
registered users to submit artifacts.  Alternatively, I suggest to add a
field in the tracker for the anonymous user to identify themselves upon
submitting an artifact.


Auke

> -----Original Message-----
> From: Robert Bray [mailto:robert.bray at autodesk.com]
> Sent: 29 September 2006 19:03
> To: Andrew Kelly; Auke Jilderda
> Subject: FW: [webcommittee][SC56][Move/Copy] Fix failed
> ServerAdmin unit tests under Linux
> Importance: High
>
> This looks like a pretty serious security breach. Can we look into it?
>
> 
>
> Thanks,
>
> Bob
>
> 
>
> ________________________________
>
> From: Walt Welton-Lair
> Sent: Friday, September 29, 2006 10:55 AM
> To: Robert Bray
> Subject: FW: [webcommittee][SC56][Move/Copy] Fix failed
> ServerAdmin unit tests under Linux
>
> 
>
> Have you see this before?
>
>       -----Original Message-----
>       From: Jason Birch [mailto:Jason.Birch at nanaimo.ca]
>       Sent: Fri 9/29/2006 6:32 PM
>       To: Walt Welton-Lair; issues at webcommittee.osgeo.org; Tim Strang
>       Cc:
>       Subject: RE: [webcommittee][SC56][Move/Copy] Fix failed
> ServerAdmin unit tests under Linux
>
>       Seems like the only possible explanation.
>      
>       Either that or you're a victim of identity theft and
> someone's out there maliciously copying tickets between
> projects on your behalf...
>      
>       Jason
>      
>       -----Original Message-----
>       From: Walt Welton-Lair [mailto:walt.welton-lair at autodesk.com]
>       Sent: Friday, September 29, 2006 08:48
>       To: Jason Birch; issues at webcommittee.osgeo.org; Tim Strang
>       Subject: RE: [webcommittee][SC56][Move/Copy] Fix failed
> ServerAdmin unit tests under Linux
>      
>       My reaction too.  I didn't do this.  Maybe project
> tracker screwed up...
>      
>       -----Original Message-----
>       From: Jason Birch [mailto:Jason.Birch at nanaimo.ca]
>       Sent: Friday, September 29, 2006 5:29 PM
>       To: issues at webcommittee.osgeo.org; Walt Welton-Lair; Tim Strang
>       Subject: RE: [webcommittee][SC56][Move/Copy] Fix failed
> ServerAdmin unit tests under Linux
>      
>       Huh?
>      
>       -----Original Message-----
>       From: Guest User [mailto:admin at osgeo.org]
>       Sent: Friday, September 29, 2006 00:13
>       To: Walt Welton-Lair; Tim Strang
>       Cc: issues at webcommittee.osgeo.org
>       Subject: [webcommittee][SC56][Move/Copy] Fix failed
> ServerAdmin unit tests under Linux
>      
>      
>       Artifact SC56 has just been copied from mapguide/Defect
> to webcommittee/Defect by user waltweltonlair.
>      
>       You can view the artifact detail at the following URL:
>      
>           https://webcommittee.osgeo.org/servlets/Scarab/id/SC56
>      
>       Details:
>      
> ---------------------------------------------------------------------
>      
>       Reason:
>       hioopnñ
>      
>      
> ---------------------------------------------------------------------
>       This message was automatically generated by Project Tracker.
>      
>      
>      
>      
>      
>      
> ---------------------------------------------------------------------
>       To unsubscribe, e-mail:
> issues-unsubscribe at webcommittee.osgeo.org
>       For additional commands, e-mail:
> issues-help at webcommittee.osgeo.org
>      
>      
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe at webcommittee.osgeo.org
For additional commands, e-mail: issues-help at webcommittee.osgeo.org







More information about the Webcom mailing list