Put some band-aids on draft sharing by admin users.

Review Request #13398 — Created Nov. 2, 2023 and submitted

Information

Review Board
release-6.x

Reviewers

For a while, it's been possible for admin users to modify other people's
review requests. In most cases this is used for things like
reassignining the owner, but some people use it as a way to collaborate
on changes.

We've always had some weirdness with draft visibility by admins. They
could see that a draft was present, and prior to 6.0 would be able to
publish it, but they were never shown that draft data. Changes in 6.0
related to how things get published caused clicking the "Publish" button
to return an error.

This change adds two band-aids to this process. First, the details
data blob has been updated to always fetch the draft when the review
request is mutable by the requesting user. This makes it so admins will
see the draft data. Second, the batch endpoint has been updated to
fetch any existing draft rather than limiting by the requesting user.

  • Was able to manipulate and publish review requests by other users.
    Verified that both the review request owner and a separate admin user
    were able to see the draft data.
  • Ran unit tests.
Summary ID
Put some band-aids on draft sharing by admin users.
For a while, it's been possible for admin users to modify other people's review requests. In most cases this is used for things like reassignining the owner, but some people use it as a way to collaborate on changes. We've always had some weirdness with draft visibility by admins. They could see that a draft was present, and prior to 6.0 would be able to publish it, but they were never shown that draft data. Changes in 6.0 related to how things get published caused clicking the "Publish" button to return an error. This change adds two band-aids to this process. First, the details data blob has been updated to always fetch the draft when the review request is mutable by the requesting user. This makes it so admins will see the draft data. Second, the batch endpoint has been updated to fetch any existing draft rather than limiting by the requesting user. Testing Done: - Was able to manipulate and publish review requests by other users. Verified that both the review request owner and a separate admin user were able to see the draft data. - Ran unit tests.
1530f7121182b304dca62169702427d68c2e88ec
Description From Last Updated

We should probably add a unit test for publishing someone else's draft as an admin.

maubinmaubin

Typo in the first paragraph of the description: "reassignining".

chipx86chipx86

These can be combined.

chipx86chipx86
maubin
  1. Ship It!

  2. 
      
maubin
  1. 
      
  2. Show all issues

    We should probably add a unit test for publishing someone else's draft as an admin.

  3. 
      
david
chipx86
  1. 
      
  2. Show all issues

    Typo in the first paragraph of the description: "reassignining".

  3. reviewboard/reviews/detail.py (Diff revision 2)
     
     
    Show all issues

    These can be combined.

  4. 
      
david
Review request changed
Status:
Completed
Change Summary:
Pushed to release-6.x (139eed5)