The markdown field provides the dict for both the markdown and render metadata.
Details
As part of rendering the markdown field, the permissions for the object being rendered (in this case ticket dependencies) are checked. However in this case the issue is that model TicketBase is being used instead of the actual ticket model.
Even though this bug is security related the model in question TicketBase is not used as it's behind a feature-flag.
Fix
$ git diff core/fields/markdown.py
diff --git a/app/core/fields/markdown.py b/app/core/fields/markdown.py
index e093b6c08..0292b925c 100644
--- a/app/core/fields/markdown.py
+++ b/app/core/fields/markdown.py
@@ -141,7 +141,7 @@ class MarkdownField(CharField):
try:
- item = TicketBase.objects.get( pk = number )
+ item = TicketBase.objects.get( pk = number ).get_related_model()
if self.context['request'].user.has_perm(
Tests (app/core/tests/unit/field_markdown/test_unit_markdown_field.py) will also need to be properly written as the permission checking as part of rendering is not even tested.
Tasks
Requirements
The markdown field provides the dict for both the markdown and render metadata.
Details
As part of rendering the markdown field, the permissions for the object being rendered (in this case ticket dependencies) are checked. However in this case the issue is that model
TicketBaseis being used instead of the actual ticket model.Even though this bug is security related the model in question
TicketBaseis not used as it's behind a feature-flag.Fix
Tests (
app/core/tests/unit/field_markdown/test_unit_markdown_field.py) will also need to be properly written as the permission checking as part of rendering is not even tested.Tasks
Correct so that it uses the sub-model
Test
Requirements
Everywhere the field is used must be tested. i.e. ticket comments, ticket description etc.
for every model that is able to be rendered, it must be tested
for every type of ticket that is able to be rendered, it must be tested.