Gemini Community Support Site

This Gemini community support site can be used to find solutions to product issues. You can log in using Open Id, Google Profile and even Facebook. Feel free to ask a question or browse FAQs and documentation. Product tour videos are also available along with how-to videos demonstrating key Gemini capabilities.




Add Comments -> Security Issue?!

web-app

Hi,

I'm having a weird issue. Will try to describe briefly just to see if someone can reproduce it.

I have created a user who can only view own issues and add comments. So, can not edit any fields. This is set by Security Scheme and also Field Visibility Scheme. However... When this user goes to add a Comment (clicks Comments text, not the little +), she gets access to the whole issue together with the comment box. Any value can be changed, irrespective of the Security Scheme settings or Field Visibility Scheme. Whereas, if she clicks "+" to add a Comment, the pop-up with only Comment text box appears, which is the expected behavior.
This is a huge security breach. Although Gemini will log all the actions and comments, just the option of seeing them and changing them looks like a bug.

Can someone confirm this is the case or whether I'm doing something wrong.

Best regards,

Alen
MisterY
· 1 		MisterY
Monday, February 22, 2010, 5:20:48 AM
Replies (3)
helpful
0
not helpful

A quick clarification... (just found out)

Clicking Comments opens Comment page, while
Clicking + opens Quick Comments page.
MisterY
· 1 		MisterY
Monday, February 22, 2010, 5:27:42 AM
helpful
0
not helpful

After going through the documentation (RTFM, I know), the solution to this is to create a Field Visibility Schemes for Creating, Editing, Viewing, and Commenting. These schemes are then assigned to Issue Type(s).
So, a Bug would be linked to a Field Visibility Scheme that allows only certain fields to be visible when Commenting.

Hm, this is a bit counterintuitive but at least it works and gets me where I wanted to be in the first place.
I would like to know the background on this kind of setup just to be able to understand it better.

Cheers!
[B]
MisterY
· 1 		MisterY
Monday, February 22, 2010, 6:19:34 AM
helpful
0
not helpful

This is by design...

You now have the control to determine what users can see and change when adding a comment (not Quick Comment).

This allows for scenarions where people who cannot "Edit an Issue", have the ability to update certain issue fields when logging a comment.

Hence a Field Visibility Scheme should be defined for Comments so that you can precisely control who can do what.
Harvey Kandola
· 212 		Harvey Kandola
Monday, February 22, 2010, 10:28:49 AM