Summary

Put some band-aids on draft sharing by admin users.

Review Request #13398 — Created Nov. 2, 2023 and submitted Nov. 3, 2023, 9:22 p.m.

Information

Owner

david

Repository

Review Board

Branch

release-6.x

Bugs

Depends On

Reviewers

Groups

reviewboard

People

Description

For a while, it's been possible for admin users to modify other people's

review requests. In most cases this is used for things like

reassignining the owner, but some people use it as a way to collaborate

on changes.
We've always had some weirdness with draft visibility by admins. They

could see that a draft was present, and prior to 6.0 would be able to

publish it, but they were never shown that draft data. Changes in 6.0

related to how things get published caused clicking the "Publish" button

to return an error.
This change adds two band-aids to this process. First, the details

data blob has been updated to always fetch the draft when the review

request is mutable by the requesting user. This makes it so admins will

see the draft data. Second, the batch endpoint has been updated to

fetch any existing draft rather than limiting by the requesting user.

Testing Done


Was able to manipulate and publish review requests by other users.

  Verified that both the review request owner and a separate admin user

  were able to see the draft data.
Ran unit tests.

Commits

Summary	ID
Put some band-aids on draft sharing by admin users. For a while, it's been possible for admin users to modify other people's review requests. In most cases this is used for things like reassignining the owner, but some people use it as a way to collaborate on changes. We've always had some weirdness with draft visibility by admins. They could see that a draft was present, and prior to 6.0 would be able to publish it, but they were never shown that draft data. Changes in 6.0 related to how things get published caused clicking the "Publish" button to return an error. This change adds two band-aids to this process. First, the details data blob has been updated to always fetch the draft when the review request is mutable by the requesting user. This makes it so admins will see the draft data. Second, the batch endpoint has been updated to fetch any existing draft rather than limiting by the requesting user. Testing Done: - Was able to manipulate and publish review requests by other users. Verified that both the review request owner and a separate admin user were able to see the draft data. - Ran unit tests.	1530f7121182b304dca62169702427d68c2e88ec

Summary

Put some band-aids on draft sharing by admin users.

For a while, it's been possible for admin users to modify other people's review requests. In most cases this is used for things like reassignining the owner, but some people use it as a way to collaborate on changes. We've always had some weirdness with draft visibility by admins. They could see that a draft was present, and prior to 6.0 would be able to publish it, but they were never shown that draft data. Changes in 6.0 related to how things get published caused clicking the "Publish" button to return an error. This change adds two band-aids to this process. First, the details data blob has been updated to always fetch the draft when the review request is mutable by the requesting user. This makes it so admins will see the draft data. Second, the batch endpoint has been updated to fetch any existing draft rather than limiting by the requesting user. Testing Done: - Was able to manipulate and publish review requests by other users. Verified that both the review request owner and a separate admin user were able to see the draft data. - Ran unit tests.

1530f7121182b304dca62169702427d68c2e88ec

Issues

Description	From	Last Updated
We should probably add a unit test for publishing someone else's draft as an admin.	maubin	Nov. 3, 2023, 3:05 p.m.
Typo in the first paragraph of the description: "reassignining".	chipx86	Nov. 3, 2023, 9:21 p.m.
These can be combined.	chipx86	Nov. 3, 2023, 9:20 p.m.

flake8 passed.

JSHint passed.

```
Ship It!
```

The issue has been resolved. Show all issues

We should probably add a unit test for publishing someone else's draft as an admin.

Change Summary:

Add a unit test.

Commits:

	Summary	ID
	Put some band-aids on draft sharing by admin users. For a while, it's been possible for admin users to modify other people's review requests. In most cases this is used for things like reassignining the owner, but some people use it as a way to collaborate on changes. We've always had some weirdness with draft visibility by admins. They could see that a draft was present, and prior to 6.0 would be able to publish it, but they were never shown that draft data. Changes in 6.0 related to how things get published caused clicking the "Publish" button to return an error. This change adds two band-aids to this process. First, the details data blob has been updated to always fetch the draft when the review request is mutable by the requesting user. This makes it so admins will see the draft data. Second, the batch endpoint has been updated to fetch any existing draft rather than limiting by the requesting user. Testing Done: Was able to manipulate and publish review requests by other users. Verified that both the review request owner and a separate admin user were able to see the draft data.	e201c492e826cbf671dde22048b6467a800ec36a
	Put some band-aids on draft sharing by admin users. For a while, it's been possible for admin users to modify other people's review requests. In most cases this is used for things like reassignining the owner, but some people use it as a way to collaborate on changes. We've always had some weirdness with draft visibility by admins. They could see that a draft was present, and prior to 6.0 would be able to publish it, but they were never shown that draft data. Changes in 6.0 related to how things get published caused clicking the "Publish" button to return an error. This change adds two band-aids to this process. First, the details data blob has been updated to always fetch the draft when the review request is mutable by the requesting user. This makes it so admins will see the draft data. Second, the batch endpoint has been updated to fetch any existing draft rather than limiting by the requesting user. Testing Done: - Was able to manipulate and publish review requests by other users. Verified that both the review request owner and a separate admin user were able to see the draft data. - Ran unit tests.	1530f7121182b304dca62169702427d68c2e88ec

Diff:

Revision 2 (+58 -4)

Show changes

	reviewboard/reviews/detail.py
	reviewboard/reviews/tests/test_batch_view.py
	reviewboard/reviews/views/batch.py

Checks run (2 succeeded)

flake8 passed.

JSHint passed.

Ship it!

The issue has been resolved. Show all issues

Typo in the first paragraph of the description: "reassignining".

reviewboard/reviews/detail.py (Diff revision 2)
The issue has been resolved. Show all issues
```
These can be combined.
```

Status: Closed (submitted)

Change Summary:

Pushed to release-6.x (139eed5)