[
https://issues.apache.org/jira/browse/VCL-908?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15064471#comment-15064471
]
ASF subversion and git services commented on VCL-908:
-----------------------------------------------------
Commit 1720840 from [~jfthomps] in branch 'vcl/trunk'
[ https://svn.apache.org/r1720840 ]
VCL-908 - Image owner string is not validated when creating a new image
utils.php: modified validateUserid: added block to handle corner case where no
affiliation is passed in as part of $loginid, shibboleth only authentication is
being used for the default affiliation, ALLOWADDSHIBUSERS is set to 1, and
there is an @ in $loginid
> Image owner string is not validated when creating a new image
> -------------------------------------------------------------
>
> Key: VCL-908
> URL: https://issues.apache.org/jira/browse/VCL-908
> Project: VCL
> Issue Type: Bug
> Components: web gui (frontend)
> Affects Versions: 2.4.2
> Reporter: Andy Kurth
>
> This issue came up in this
> [thread|http://markmail.org/message/bugb4fobnafvpxe7] on the dev list. I
> have not verified this myself, but apparently a user creating a new image can
> enter a string in the image owner field which doesn't match an existing
> _user.unityid_ value. This could potentially be dangerous but also causes
> the image capture initiation to fail. The _INSERT_ query in the web code
> fails because _image.ownerid_ is NULL.
> I don't see much of a need to have this field displayed when capturing a new
> image. Image owners do need to be changed on rare occasion, however, why
> would someone want to change it before it is captured? The person capturing
> it would usually test the image after a successful capture. What happens if
> someone changes the owner but accidentally enters the wrong _user.unityid_
> value? Could the first user lock himself out of controlling the image after
> it is captured?
> Another issue... if someone changes the owner to another valid user, the
> other user (new owner) would not receive any capture successful/delayed
> messages. These are only sent to the image capture request user
> (_request.userid_).
> I propose removing the owner field for new image captures. The field should
> still be available from _Manage Images_ --> _Edit Image Profiles_ but this
> field should always be validated. Long term, we should think about
> separating the action of changing an image owner from _Edit Image Profiles_.
> Perhaps a specific action could be added similar to the new _Edit Computer
> Profiles_ actions.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
