Opened on 03/15/2016 at 02:42:41 PM

Closed on 03/15/2016 at 04:00:20 PM

#3805 closed defect (fixed)

update_issues hook does not update issues marked as sensitive

Reported by: fhd Assignee:
Priority: Unknown Milestone:
Module: Sitescripts Keywords:
Cc: sebastian Blocked By:
Blocking: Platform: Unknown / Cross platform
Ready: no Confidential: no
Tester: Unknown Verified working: no
Review URL(s):


How to reproduce

  1. Create an issue and mark it as confidential/sensitive.
  2. Make a commit to any repository that has the update_issues hook configured referring to the issue just created.

Observed behaviour

No comment gets added to the issue.

Expected behaviour

The hook should add a comment to the issue, referencing the commit.


The issue where we first noticed this is #3719.

Attachments (0)

Change History (6)

comment:1 Changed on 03/15/2016 at 02:43:03 PM by fhd

  • Component changed from Unknown to Sitescripts

comment:2 Changed on 03/15/2016 at 03:38:41 PM by sebastian

I would suppose that this is rather an issue with the permissions, rather than a bug in the code. Does the abpbot user have permissions to access confidential issues?

comment:3 Changed on 03/15/2016 at 03:40:51 PM by fhd

How I understood it, it has universal access... But let me try and grant that permission explicitly.

comment:4 Changed on 03/15/2016 at 03:45:33 PM by fhd

Done. But TBH I would be mildly surprised if this changes much. How I understand it, the XML_RPC permission is sufficient for unrestricted database access. Well, we'll see.

comment:5 Changed on 03/15/2016 at 03:49:15 PM by sebastian

The XML_RPC permission is used to grant users access to using the RPC interface

So how I understand it, that permission doesn't do anything, except granting access to /rpc endpoint.

comment:6 Changed on 03/15/2016 at 04:00:20 PM by fhd

  • Resolution set to fixed
  • Status changed from new to closed

How I understood it, that permission provides unrestricted database access through the API. But apparently sensitive issues at least are a different matter because giving the abpbot user the SENSITIVE_VIEW permission actually does fix this, just verified with #3806 and some commits pushed to the adblockplussafariios repository which I'm going to strip now. Without the permission, updating the issue fails, with the permission, it works just fine.

Add Comment

Modify Ticket

Change Properties
as closed .
The resolution will be deleted. Next status will be 'reopened'.
to The owner will be changed from (none).
Note: See TracTickets for help on using tickets.