Issue 23650 - Permission Issue Tracker Submit doesn't allow attachments / voting
Summary: Permission Issue Tracker Submit doesn't allow attachments / voting
Alias: None
Product: Infrastructure
Classification: Infrastructure
Component: Bugzilla (show other issues)
Version: current
Hardware: All All
: P2 Trivial (vote)
Target Milestone: ---
Assignee: Unknown
QA Contact: issues@www
Keywords: oooqa
: 31618 (view as issue list)
Depends on:
Blocks: 23231 23325 23993
  Show dependency tree
Reported: 2003-12-17 22:18 UTC by stx123
Modified: 2004-08-31 18:56 UTC (History)
6 users (show)

See Also:
Issue Type: DEFECT
Latest Confirmation in: ---
Developer Difficulty: ---

Logged in and no "Create a new attachment" link displayed (37.16 KB, image/jpeg)
2004-02-28 13:15 UTC, jacqueline.mcnally
no flags Details
Warning/Error message displayed when 8daysaweek attempts to add a comment to this issue (36.53 KB, image/jpeg)
2004-02-28 13:22 UTC, jacqueline.mcnally
no flags Details
sreenshot from bitsfritz logged in (79.60 KB, image/jpeg)
2004-07-09 13:23 UTC, bitsfritz
no flags Details
after uploading here... (60.41 KB, image/jpeg)
2004-07-09 13:27 UTC, bitsfritz
no flags Details

Note You need to log in before you can comment on or make changes to this issue.
Description stx123 2003-12-17 22:18:43 UTC
We are still looking to have the workflow of 1.1.3 IZ implemented on SC26 Issue 
Tracker. After the correcting of issue 22428 there are two actions which are 
not possible for a user with permission "Issue Tracker Submit":

- Create Attachments to submitted issues
- Vote on any issue
Comment 1 Unknown 2003-12-17 23:28:06 UTC
Assigning to Steve to follow up on this configuration issue as well.

Comment 2 lsuarezpotts 2003-12-17 23:53:53 UTC
Thanks for reassigning to Steve, Eric.  Are you saying that this issue is a Host Admin resolvable 
issue? in that case, please address it. 
Comment 3 Unknown 2003-12-18 05:06:05 UTC
If this is host admin resolvable I will assign it to Kenneth to address since he
is the primary support person for this site.

Comment 4 kerry 2003-12-18 20:15:07 UTC
This is assigned to the wrong kenneth.  Correcting.

In addition, this looks like a permissions problem.  I've opened internal 
issue PCN 24826 to find out which IZ permissions are associated with creating 
attachments and voting.  Updating whiteboard.
Comment 5 Unknown 2003-12-18 20:37:53 UTC
[reassigning to support, please don't change the assignment (for now)]

Question for ST: can you give me the name of one of the users who has complained
about this behavior? I'd like to look up his or her permissions and roles to
double-check the settings. I encountered this behavior once, but it was due to
my   error- as I was not logged in. (in the meantime I'll research this on my own)
Comment 6 stx123 2003-12-18 20:52:01 UTC
Hi Kerry,

Louis made the users happy by giving the role "Registered User" the permission
"Project Issue Change". But the consequence is that issues are filed with state
NEW by default.
We would like to revoke the permission "Project Issue Change" from "Registered
User" and "Observer" to achieve that normal users file issues with initial state
But with this removal of the permission we would also revoke users the
permission to attach sample documents and the ability to vote.

You see the conflict?

My understanding is that we have to find the same solution as for issue 22428.
Abilities for users with permission "Issue submit" should be extended. They
should be allowed to attach documents to issues they submitted and to vote on
any issue.

Thanks, Stefan
Comment 7 lsuarezpotts 2003-12-23 07:46:35 UTC
filed PCN 23938 to address modification of IZ permissions.  
Comment 8 kerry 2004-01-09 07:16:10 UTC
FYI, today, I escalated the priority of this issue internally.
Comment 9 Unknown 2004-02-03 13:16:03 UTC
Waiting for the engineers update on this in the internal issue.
Comment 10 Unknown 2004-02-18 05:13:07 UTC
Update :
Waiting for Engineers update

Next update: 
As & when the engineers post their repsonse

Comment 11 Martin Hollmichel 2004-02-26 21:32:49 UTC
to explain it more precise:

canconfirm user should be able to:
* submit issue in status new
* confirm unconfirmed issues.
* create attachment to all issues
* can comment to all issues
* can vote on all issue

common registered users are able to:
* submit issue in status unconfirmed
* can attach to own filed issues
* can comment on own issues
* can vote on all issues.

common registered user should also be able to:
* attach to all issues and comment on all issues.
Comment 12 jacqueline.mcnally 2004-02-28 13:15:57 UTC
Created attachment 13494 [details]
Logged in and no "Create a new attachment" link displayed
Comment 13 jacqueline.mcnally 2004-02-28 13:18:22 UTC
I am adding a comment for James (8daysaweek) who currently cannot add an
attachment to:
(See previous comment and attachment)

He also cannot see the "Create a new attachment" link for these issues:

Also, James cannot add a comment here to this issue.

James ( has voted on previous issues.
Comment 14 jacqueline.mcnally 2004-02-28 13:22:04 UTC
Created attachment 13495 [details]
Warning/Error message displayed when 8daysaweek attempts to add a comment to this issue
Comment 15 lohmaier 2004-03-07 00:34:22 UTC
don't know whether this is of any help, but replacing the
part by or did help for
qa-members (see )
Comment 16 Unknown 2004-03-10 23:03:40 UTC
Our instantiation engineers are continuing their research on this issue. We
should have a more substantial update by the end of the week.
Comment 17 Unknown 2004-03-10 23:07:04 UTC
I believe this issue was resolved after we fixed the problem with the
new/unconfirmed change in another issue.
Comment 18 Unknown 2004-03-11 21:52:17 UTC
Comment 19 stx123 2004-03-17 08:55:02 UTC
verified and closing
Comment 20 Martin Hollmichel 2004-06-25 15:07:28 UTC
a registered user is not longer able to do an attachment to an issue after the
last updgrade.
Comment 21 Unknown 2004-06-30 18:44:28 UTC
I just created a user bnoble_test who is only a registered user (no project 
associations) on the site and I am able, via that user, to create new issues and 
add attachments as well as vote in those issues.

I then made the user an observer (only query and submit IT perms) in a project 
and was also able to attach and vote my issues.

What am I missing?
Comment 22 stx123 2004-07-01 00:02:34 UTC
I assume you created the attachment as the second step of issue submission.
Would you (bnoble_test) try to add an attachment to your issue 30934 as a
separate action.
Thanks, Stefan
Comment 23 Unknown 2004-07-01 16:52:27 UTC
I have added attachments both as the second action of submitting issue 30934 and 
as an additional seperate action.
Comment 24 stx015 2004-07-01 22:12:28 UTC
You will not succeed to add an attachment to an issue you are not the owner of.
Comment 25 Unknown 2004-07-08 18:18:35 UTC
Opened another internal issue to investigate the inability of registered users 
to add attachments to issues.
Comment 26 bitsfritz 2004-07-09 13:04:05 UTC
Minutes ago I succeeded creating an attachment on issue 31060 which is not 
assigned to me nor created new. I just used the direct link and it worked 
If I login the "create attachment" link is not shown in the web form. 
Thus I think it is not a permission problem but a problem of the site creation 
Comment 27 bitsfritz 2004-07-09 13:23:26 UTC
Created attachment 16353 [details]
sreenshot from bitsfritz logged in
Comment 28 bitsfritz 2004-07-09 13:27:27 UTC
Created attachment 16354 [details]
after uploading here...
Comment 29 Unknown 2004-07-13 17:46:35 UTC
FYI, I cannot reproduce the above claims of attachments now being allowed.

Our engineers are prepared to make the correction to allow for attachments to be 
added but they have one last question:

ollabNet would like to point out that this setting (allow any registered user to 
attach files to any issue) is a security risk (Denial Of Service): any 
registered user can exhaust physical storage by uploading attachments.  
CollabNet would accept no liabilities for service interruptions of this sort.

Please confirm.
Comment 30 stx123 2004-07-13 21:18:50 UTC
See, we had this setup (re)introduced after the SC26 ugrade without any
liability clauses. You introduced the regression with the "fix" for issue 23993
and I'm a bit amazed that you are now asking for reassurance.

I'm willing to confirm that we wouldn't hold CollabNet liable for service
interuptions caused by exhausted storage due to a registered user adding
attachments to issues not owned or submitted by him.

(My first try for such an attack would be to add to my issues anyways)
Comment 31 Unknown 2004-07-13 21:25:35 UTC
Updated the engineers.
Comment 32 stx123 2004-07-20 08:46:10 UTC
*** Issue 31618 has been marked as a duplicate of this issue. ***
Comment 33 Unknown 2004-07-21 00:00:43 UTC
Queried the engineers again, they are ready to code this and just need to alloca 
te the time to do so.
Comment 34 Unknown 2004-07-28 00:09:37 UTC
The fix has been placed on the system.  Please test and 
confirm whether it is satisfactory.
Comment 35 Unknown 2004-07-28 15:43:14 UTC
I should have mentioned that I tested this on and was 
able to add an attachment to an issue as a registered user with no prior 
relationship to the issue.
Comment 36 stx123 2004-07-28 15:55:20 UTC
Thanks Brian. give us a day or two to verify the fix on the staging server.
Comment 37 stx123 2004-08-03 10:01:47 UTC
The fix looks good on stage. Please go ahead an plan for the installation on 
the production site.
Comment 38 Unknown 2004-08-03 22:15:31 UTC
We will need to restart the sandbox to get this installed.  The downtime should 
not be more than a few minutes (<10mins), when might be a good time?
Comment 39 stx123 2004-08-04 07:36:56 UTC
With a notification some days beforehand the preferred downtime is 4PM PDT.
Comment 40 Unknown 2004-08-05 18:39:10 UTC
How about Monday at 4pm PDT?
Comment 41 lsuarezpotts 2004-08-06 04:52:19 UTC
I can announce it tonight, giving us nearly the two full working days we suggest.
Comment 42 stx123 2004-08-06 10:57:08 UTC
fine with me.
Comment 43 Unknown 2004-08-10 00:16:21 UTC
Updated the live site with the patch to enable this functionality and tested 
successfully.  Please confirm.
Comment 44 stx123 2004-08-10 12:09:54 UTC
Please mark the issue as RESOLVED if you think the it's fixed.

The issue seems to be solved.
Thanks, Stefan
Comment 45 Unknown 2004-08-10 16:45:05 UTC
Marking resolved/fixed.
Comment 46 Unknown 2004-08-31 18:56:08 UTC
Closing this issue.