Andy Kurth created VCL-908:
------------------------------
Summary: Image owner string is not validated when creating a new
image
Key: VCL-908
URL: https://issues.apache.org/jira/browse/VCL-908
Project: VCL
Issue Type: Bug
Components: web gui (frontend)
Affects Versions: 2.4.2
Reporter: Andy Kurth
This issue came up in this
[thread|http://markmail.org/message/bugb4fobnafvpxe7] on the dev list. I have
not verified this myself, but apparently a user creating a new image can enter
a string in the image owner field which doesn't match an existing
_user.unityid_ value. This could potentially be dangerous but also causes the
image capture initiation to fail. The _INSERT_ query in the web code fails
because _image.ownerid_ is NULL.
I don't see much of a need to have this field displayed when capturing a new
image. Image owners do need to be changed on rare occasion, however, why would
someone want to change it before it is captured? The person capturing it would
usually test the image after a successful capture. What happens if someone
changes the owner but accidentally enters the wrong _user.unityid_ value?
Could the first user lock himself out of controlling the image after it is
captured?
Another issue... if someone changes the owner to another valid user, the other
user (new owner) would not receive any capture successful/delayed messages.
These are only sent to the image capture request user (_request.userid_).
I propose removing the owner field for new image captures. The field should
still be available from _Manage Images_ --> _Edit Image Profiles_ but this
field should always be validated. Long term, we should think about separating
the action of changing an image owner from _Edit Image Profiles_. Perhaps a
specific action could be added similar to the new _Edit Computer Profiles_
actions.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
