You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@vcl.apache.org by "ASF subversion and git services (JIRA)" <ji...@apache.org> on 2015/12/18 19:58:46 UTC
[jira] [Commented] (VCL-908) Image owner string is not validated
when creating a new image
[ https://issues.apache.org/jira/browse/VCL-908?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15064471#comment-15064471 ]
ASF subversion and git services commented on VCL-908:
-----------------------------------------------------
Commit 1720840 from [~jfthomps] in branch 'vcl/trunk'
[ https://svn.apache.org/r1720840 ]
VCL-908 - Image owner string is not validated when creating a new image
utils.php: modified validateUserid: added block to handle corner case where no affiliation is passed in as part of $loginid, shibboleth only authentication is being used for the default affiliation, ALLOWADDSHIBUSERS is set to 1, and there is an @ in $loginid
> Image owner string is not validated when creating a new image
> -------------------------------------------------------------
>
> Key: VCL-908
> URL: https://issues.apache.org/jira/browse/VCL-908
> Project: VCL
> Issue Type: Bug
> Components: web gui (frontend)
> Affects Versions: 2.4.2
> Reporter: Andy Kurth
>
> This issue came up in this [thread|http://markmail.org/message/bugb4fobnafvpxe7] on the dev list. I have not verified this myself, but apparently a user creating a new image can enter a string in the image owner field which doesn't match an existing _user.unityid_ value. This could potentially be dangerous but also causes the image capture initiation to fail. The _INSERT_ query in the web code fails because _image.ownerid_ is NULL.
> I don't see much of a need to have this field displayed when capturing a new image. Image owners do need to be changed on rare occasion, however, why would someone want to change it before it is captured? The person capturing it would usually test the image after a successful capture. What happens if someone changes the owner but accidentally enters the wrong _user.unityid_ value? Could the first user lock himself out of controlling the image after it is captured?
> Another issue... if someone changes the owner to another valid user, the other user (new owner) would not receive any capture successful/delayed messages. These are only sent to the image capture request user (_request.userid_).
> I propose removing the owner field for new image captures. The field should still be available from _Manage Images_ --> _Edit Image Profiles_ but this field should always be validated. Long term, we should think about separating the action of changing an image owner from _Edit Image Profiles_. Perhaps a specific action could be added similar to the new _Edit Computer Profiles_ actions.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)