View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0008134 | mantisbt | preferences | public | 2007-07-09 05:50 | 2011-08-29 07:05 |
Reporter | opi | Assigned To | |||
Priority | normal | Severity | minor | Reproducibility | always |
Status | closed | Resolution | duplicate | ||
Product Version | 1.0.8 | ||||
Summary | 0008134: it's not possible to delete own attachments | ||||
Description | Hi If a user upload a wrong File and he want to fix the IMHO it should always possible to delete own attachments It would be very nice if you can add that feature. Best Regards | ||||
Tags | No tags attached. | ||||
I had a look at the code and it seems that you are correct. When the decision is made about whether a user can view, download, or delete an attachment, the report of the issues, rather than the submitter of the attachment is used. This should be fixed. |
|
The problem is that the author of the attachment is not stored in the DB, so there is no way to implement that kind of check. Moreover I think that the "delete" operation, which is a undoable, should be really avoided and eventually permitted only to a user with an high level access (MANAGER or something like that) I propose to implement the "is_obsolete" flag as suggested in 0007835, so that users can mark the attachments as obsolete and be done with it. |
|
I think the DB should extended and store the author of the attachment too |
|
I believe that the admin should be able to configure the system so that users can delete their own attachments or not, what is what we are doing now but we have a bug in the logic. I agree with "opi" that there are scenarios where it makes sense to allow the users to delete their own attachments. I also think it would be useful to capture the name of the attachment submitter and display it next to the attachment. We can also use the same information to implement the access check correctly. Hence, I believe that we should extend the schema to store the submitter. |
|
I've added this field as user_id. All will be posted in patch for bug 7835 |
|
Victor, this calls for a decision about what to do on upgrades. If we don't try to assign correct user_id to attachments (we could infer from history) we will have a bunch of attachments with user_id = 0. IMHO, this can be acceptable and allowing only users above can_delete_threshold to delete attachments with user_id = 0 we basically have the current behavior. |
|
I was going to say the same. Same situation (user_id=0) will appear during user deletion. All his files will get user_id=0 so they will be >abandomed<. |
|
|
|
We can get the author of attachments based on mantis_history_table... just do a lookup from newest to oldest entries to determine who currently owns a file attached to a bug. But Victor is ultimately correct in saying that user ID = 0 (or -and this is important- an ID that no longer exists) should be handled correctly. If an owner of an attachment is removed from the Mantis DB, the attachment owner should just be reverted to blank/no-one, thus requiring a user who meets the existing attachment delete threshold. |
|
It will cause heavy querys if do a lookup from history_table to determines attachment's owner? |
|
Why can we not move all data of a deleted user to admin and/or another user in the system. |
|
Isn't this fixed through duplicate bug:12553? |
|
Seems to be the case, thanks for reporting. |
|
Seems to be the case, thanks for reporting. |
|