You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@vcl.apache.org by "Andy Kurth (JIRA)" <ji...@apache.org> on 2015/09/25 21:07:04 UTC

[jira] [Created] (VCL-908) Image owner string is not validated when creating a new image

Andy Kurth created VCL-908:
------------------------------

             Summary: Image owner string is not validated when creating a new image
                 Key: VCL-908
                 URL: https://issues.apache.org/jira/browse/VCL-908
             Project: VCL
          Issue Type: Bug
          Components: web gui (frontend)
    Affects Versions: 2.4.2
            Reporter: Andy Kurth


This issue came up in this [thread|http://markmail.org/message/bugb4fobnafvpxe7] on the dev list.  I have not verified this myself, but apparently a user creating a new image can enter a string in the image owner field which doesn't match an existing _user.unityid_ value.  This could potentially be dangerous but also causes the image capture initiation to fail.  The _INSERT_ query in the web code fails because _image.ownerid_ is NULL.

I don't see much of a need to have this field displayed when capturing a new image.  Image owners do need to be changed on rare occasion, however, why would someone want to change it before it is captured?  The person capturing it would usually test the image after a successful capture.  What happens if someone changes the owner but accidentally enters the wrong _user.unityid_ value?  Could the first user lock himself out of controlling the image after it is captured?

Another issue... if someone changes the owner to another valid user, the other user (new owner) would not receive any capture successful/delayed messages.  These are only sent to the image capture request user (_request.userid_).  

I propose removing the owner field for new image captures.  The field should still be available from _Manage Images_ --> _Edit Image Profiles_ but this field should always be validated.  Long term, we should think about separating the action of changing an image owner from _Edit Image Profiles_.  Perhaps a specific action could be added similar to the new _Edit Computer Profiles_ actions.





--
This message was sent by Atlassian JIRA
(v6.3.4#6332)