Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

View attachment fail with 500 ISE #160

Closed
Ariusxiang opened this issue Dec 27, 2017 · 6 comments
Closed

View attachment fail with 500 ISE #160

Ariusxiang opened this issue Dec 27, 2017 · 6 comments

Comments

@Ariusxiang
Copy link

WARNING: do not publically report security issues in the bug tracker!
Ping us via email to coordinate the fix and disclosure of the problem!

Description of problem

https://demo.kiwitcms.org/case/71/#attachment

Component (web, API, etc)

web

How often reproducible

100%

Steps to Reproduce

  1. Browse into a test case
  2. upload a png file as attachment
  3. view the uploaded file on step 2

Actual results

500 ISE error page

Expected results

Showing the attachment or download the attachment
atodorov added a commit that referenced this issue Dec 30, 2017
@atodorov
Use MEDIA_ROOT instead of FILE_UPLOAD_DIR setting. Related to #160
192bed3 
- serve these files locally in DEBUG mode
- serve the uploads directory via Apache in production
atodorov added a commit that referenced this issue Dec 30, 2017
@atodorov
Use django-attachments for user uploaded files. Fixes #160
888ec97 
- remove tcms/core/files.py
- remove now-unused home-grown attachment models
- remove related factories and update tests
- update templates
- update JavaScript files (remove unnecessary parts)
- update default permissions

As part of this change we no longer copy Plan and Case
attachments when cloning these objects.

NOTE: Since django-attachments introduces new permission objects
you will have to adjust default permissions for existing users.
In order for them to be able to upload/delete their own files they
need to have `attachments.add_attachment` and `atachments.delete_attachment`
permissions.

These same permissions are added by default to the 'Tester' group.
If you are running an existing installation registering a new user
with Kiwi TCMS will update the default permissions for this group!

Migrations for 'testcases':
    - Remove field attachment from testcaseattachment
    - Remove field case from testcaseattachment
    - Remove field case_run from testcaseattachment
    - Remove field attachment from testcase
    - Delete model TestCaseAttachment
Migrations for 'testplans':
    - Remove field attachment from testplanattachment
    - Remove field plan from testplanattachment
    - Remove field attachment from testplan
    - Delete model TestPlanAttachment
Migrations for 'management':
    - Remove field submitter from testattachment
    - Remove field attachment from testattachmentdata
    - Delete model TestAttachment
    - Delete model TestAttachmentData
atodorov added a commit that referenced this issue Dec 30, 2017
@atodorov
Use MEDIA_ROOT instead of FILE_UPLOAD_DIR setting. Related to #160
006b194 
- serve these files locally in DEBUG mode
- serve the uploads directory via Apache in production
@calvinmqc
Copy link

I noticed another issue with 4.1.0 version:

Browse into a test plan > test case > Attachment
Click the add button besides "Add attachment"
It redirects me to the login page right away (not show the wizard to select attachment)

If I use root account, this issue does not happen. Initially I thought this is related to the user permissions. Therefore I tested it as below:

Login as root, go to Groups, go to Tester
Add all available permissions on the left panel to the right panel
Save
Login again as one user under Tester group, try to add attachment and the issue is still the same

Login as root, go to Users, click the test user
Add all available permissions on the left panel to the right panel
Save
Login again as the test user I just modified, add an attachment but the issue is still the same

However, if I go to Users, click the test user, check the Superuser option, save it. Then the issue does not reoccur. So it looks like only super user (root) can add attachment successfully in this version.

I do plan to upgrade to the latest version. But when I check the release note, it does not mention this issue so I assume it will still be the same even after I upgrade to the latest version.

Any suggestion? Thanks for your time! @atodorov

@atodorov
Copy link
Member

@calvinmqc please retest with the latest 4.1.4 version and report as a new issue if you still see problems.

@calvinmqc
Copy link

calvinmqc commented May 11, 2018
edited
Loading

I upgrade to 4.1.4 version today and test the attachment feature.
There is no change. I can reproduce the issue with the previous steps.
It is exactly the same symptom so I think it is a bug.
The only way to workaround it now is to change the test user to be a root account.

@andyflury
Copy link

The issue still seems to be there with the latest docker image.
I still get a 500 ISE error page when trying to upload files (even with the root account)
Is there maybe an older version of Kiwi that I can use where uploads still worked ?

@arafuls
Copy link

arafuls commented May 27, 2020
edited
Loading

I am still getting this issue, is there a work around?

Users with appropriate permission still cannot view or add attachments unless they are promoted to superuser..

@atodorov
Copy link
Member

@arafuls this is a fairly old issue. Open a new one and provide more information as per the bug template. Also make sure you are using the latest version (which is 8.3 at the moment).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@atodorov @andyflury @arafuls @Ariusxiang @calvinmqc