Opened on 03/15/2016 at 02:42:41 PM
Closed on 03/15/2016 at 04:00:20 PM
#3805 closed defect (fixed)
update_issues hook does not update issues marked as sensitive
Reported by: | fhd | Assignee: | |
---|---|---|---|
Priority: | Unknown | Milestone: | |
Module: | Sitescripts | Keywords: | |
Cc: | sebastian | Blocked By: | |
Blocking: | Platform: | Unknown / Cross platform | |
Ready: | no | Confidential: | no |
Tester: | Unknown | Verified working: | no |
Review URL(s): |
Description
How to reproduce
- Create an issue and mark it as confidential/sensitive.
- Make a commit to any repository that has the update_issues hook configured referring to the issue just created.
Observed behaviour
No comment gets added to the issue.
Expected behaviour
The hook should add a comment to the issue, referencing the commit.
Notes
The issue where we first noticed this is #3719.
Attachments (0)
Change History (6)
comment:1 Changed on 03/15/2016 at 02:43:03 PM by fhd
- Component changed from Unknown to Sitescripts
comment:2 Changed on 03/15/2016 at 03:38:41 PM by sebastian
comment:3 Changed on 03/15/2016 at 03:40:51 PM by fhd
How I understood it, it has universal access... But let me try and grant that permission explicitly.
comment:4 Changed on 03/15/2016 at 03:45:33 PM by fhd
Done. But TBH I would be mildly surprised if this changes much. How I understand it, the XML_RPC permission is sufficient for unrestricted database access. Well, we'll see.
comment:5 Changed on 03/15/2016 at 03:49:15 PM by sebastian
The XML_RPC permission is used to grant users access to using the RPC interface
So how I understand it, that permission doesn't do anything, except granting access to /rpc endpoint.
comment:6 Changed on 03/15/2016 at 04:00:20 PM by fhd
- Resolution set to fixed
- Status changed from new to closed
How I understood it, that permission provides unrestricted database access through the API. But apparently sensitive issues at least are a different matter because giving the abpbot user the SENSITIVE_VIEW permission actually does fix this, just verified with #3806 and some commits pushed to the adblockplussafariios repository which I'm going to strip now. Without the permission, updating the issue fails, with the permission, it works just fine.
I would suppose that this is rather an issue with the permissions, rather than a bug in the code. Does the abpbot user have permissions to access confidential issues?