Opened 4 years ago

Closed 4 years ago

#3805 closed defect (fixed)

update_issues hook does not update issues marked as sensitive

Reported by: fhd Assignee:
Priority: Unknown Milestone:
Module: Sitescripts Keywords:
Cc: sebastian Blocked By:
Blocking: Platform: Unknown / Cross platform
Ready: no Confidential: no
Tester: Unknown Verified working: no
Review URL(s):

Description

How to reproduce

  1. Create an issue and mark it as confidential/sensitive.
  2. Make a commit to any repository that has the update_issues hook configured referring to the issue just created.

Observed behaviour

No comment gets added to the issue.

Expected behaviour

The hook should add a comment to the issue, referencing the commit.

Notes

The issue where we first noticed this is #3719.

Change History (6)

comment:1 Changed 4 years ago by fhd

  • Component changed from Unknown to Sitescripts

comment:2 Changed 4 years ago by sebastian

I would suppose that this is rather an issue with the permissions, rather than a bug in the code. Does the abpbot user have permissions to access confidential issues?

comment:3 Changed 4 years ago by fhd

How I understood it, it has universal access... But let me try and grant that permission explicitly.

comment:4 Changed 4 years ago by fhd

Done. But TBH I would be mildly surprised if this changes much. How I understand it, the XML_RPC permission is sufficient for unrestricted database access. Well, we'll see.

comment:5 Changed 4 years ago by sebastian

The XML_RPC permission is used to grant users access to using the RPC interface

So how I understand it, that permission doesn't do anything, except granting access to /rpc endpoint.

comment:6 Changed 4 years ago by fhd

  • Resolution set to fixed
  • Status changed from new to closed

How I understood it, that permission provides unrestricted database access through the API. But apparently sensitive issues at least are a different matter because giving the abpbot user the SENSITIVE_VIEW permission actually does fix this, just verified with #3806 and some commits pushed to the adblockplussafariios repository which I'm going to strip now. Without the permission, updating the issue fails, with the permission, it works just fine.

Note: See TracTickets for help on using tickets.