Tuleap - Assign back to Artifact Submitter - live

in the field usage section of tuleap, i have selected bind to users option, in that i selected list of groups available and also artifact_submitter option.
So,when a submitter(user1) fills the task and assign it to the user2, the assigned person couldn't assign back exactly to the particular person(user1), who submitted the artifact.When user2 selects a assigned to option he can see the artifact_submitter along with the usergroups involved in the section.
In our office we have some 150 users who will submit a artifact and assign it to the project lead user, in turn the project lead couldn't assign back to the exact user who submitted it.
When he clicks the assigned to option, he could able to see all the 150 users available for that user group.
Is there a option where one can assign back to the exact user whoever submitted the artifact.(like we have correspondence button in Codesk tool)?

Sadly no, this is not possible at the moment. What you can do is use an Openlist field instead, which does not solve your issue but make it easier to select one person in a list of 150 name.

Related

Is there a setting to force user stories to be linked to a parent?

There is a setting for forcing story points to be entered when creating a work item (e.g. user story) in the layout processes field options, but is there one for mandating linking of work item/story to a parent?
There isn't a straight forward way to do that.
A good option is to create a custom field in User Story work item in your inherited process.
And set the work item rule to make required the value of this field when creating User Stroy.
Check the UI output by using the rule. This could be a reminder to link the parent work item.
Update 1:
You still need to manually add link as Related Work.
The required value for the custom field works as a reminder for the users when creating the User Story.
You could also define the custom field as Picklist(string). When a user creates a new User Story, he could add Related Work links and pick a value for the custom field in order to save this User Story.
Output:

Security warning from extension_builder: action is publicly accessible

I created an extension with the extension builder.
On saving I get this message:
The object was updated. Please be aware that this action is publicly accessible unless you implement an access check. See https://docs.typo3.org/typo3cms/extensions/extension_builder/User/Index.html
How can I fix this issue? Yes I read the page but there are no useful hints.
Since the question is how you can "fix the issue": There is no issue, it is a warning, you can remove it and make your request secure. (As in the other answer.)
The "hint" on the page is actually very straightforward. The "issue", that a user is able to manipulate the url and make the server to execute a not wanted action.
Here is an example:
You have a list of users of your page and you can open thier public porfile for more information:
https://yourdomain.com/list/?tx_ext_plugin['action']=show&tx_ext_plugin['userId']=41.
So if I want to make some trouble, I change the action "show" to "delete" and may I am able to delete the poor user "41" from the db. That is bad.
https://yourdomain.com/list/?tx_ext_plugin['action']=delete&tx_ext_plugin['userId']=41.
So since it is you business logic typo3 offers no out of the box solution for this. That is why this warning from extension builder says, that you need to make actions to prevent misuse.
Regarding how to implemnt a better security here are some thoughts about the Access Control and some ideas what to implement in your actions:
1) FE
You can separate your actions into different plugins. So if you have a public list action it can not be modified to the plugin that responsible for the delete action. How is it possible? TYPO3 will look the page record in your database. And will render it, and if there is a plugin on the page with the signature "tx_ext_plugin" then it will get the sent parameters. In this case you have the possibility to add the different plugins to different pages so changing the signature of it for an attacker won't help, because:
If the delete action is not registered by the plugin, TYPO3 will
throw an exception.
If you are trying to change the whole signature the page won't be able to identify the plugin.
You can add the edit / delete plugin to pages where a user has to be logged in. You can even manage multiple usergroups. Like normal user can only edit its profile, but a premium user can make further changes. You can use in fluid a view helper IfHasRole that can show parts of your template for defined user groups. (There is an ifAuthenticated ViewHelper too)
You can take the extension "femanager" as an example. There is a controller "EditController", that covers actions like "update" and "delete". For example before making the update action there is a check if the logged in user has the same user id as the record which going to be changed. If you have a complex example you can make a check on the user group also.
2) BE
It is actually almost the same as frontend.
BUT instead of plugins / user groups assigned in page settings. You can use different mountpoints, so BE users can not see folders where they are not allow to edit / delete.
You have those two ViewHelper for the BE too. There names are: f:be:security.ifAuthenticated and f:be:security:ifHasRole. However ifAuthenticated is also for FE, in a BE context it does not make sense.
You have also the possibility to identify the id and userGroups of the BE user and you can make your own checks before you let an action run.
You have also the possibility to turn on / off a module for a certain BE group.
+1: It is nothing to do with any action but just to list it too. There is also the possibility to allow / disallow field for BE Users by editing a record through the List mode in the BE.
Extension builder creates dummy actions to update and create records. Those example actions do not contain any security checks, whether the caller actually is allowed to do so.
So it is your job to add adequate access control to those methods. E.g. make sure the current user (be it Frontend or Backend) is actually allowed to update the model in question.

Section display issue in I.fopath form

I have an infopath form which users use to fill details and approver approves. The approver section in form is displayed to only those whose ID is present in hidden field. This was working fine before but now even approvers could not see approver section. Recently I added an user in hidden field after which it worked fine for sometime. Now all approvers could not see the approver section itself.
Things to check:
if you are using multiple views in the form, make sure you are updating them as needed and not only updating one view and forgetting the others.
if you remove the lase user you added tonthe hidden input, does the issue go away? How are you inserting users in hidden input? Seperating them by some character?
try to display the id of the current user in the form and display the hidden input and make sure the id's really match or there is any difference

Using ninja forms, how can I persist field values across pages?

I have a form on the home page of quotedjobs.com that I would like to persist the field values of across pages.
For example: A user enters some values in fields, such as job title (textbox), job type (list) and job description (text field). Underneath that I ask users to register on the site, but they have the option to click a link to allow them to login if they are already members.
What I would like to be able to do, is to redirect users to another form that is a copy, but allows them to login instead of register, but keep hold of the values that they entered in the title, type and description form of the previous page so they aren't losing their work.
I have seen the ninja_forms_processing variable in the docs, but I'm not clear on how to use that.
TL;DR - You can't.
As it was slim pickings here, I sent an email over to support. Got this response:
Hello,
At this time this use case is not possible in Ninja Forms. The plugin is currently unable to transfer data from field to field or between forms.
I’m sorry that we do not have a better solution for you at this time.
Thank you,

tiki-wiki: how do i force newly created pages into a category based on the user's group?

I need for certain users to only be able to create pages in certain categories based on their permissions. One reason for this is approvals ("flagged revisions"). If a user can create content outside of any category, then it could show up live on the web site. Even thought it wouldn't initially be linked anywhere directly in an existing page (except other unapproved pages) this can still be a problem.
I can prevent the user from creating a new page in the global scope (apparently this corresponds simply to "edit" permissions as I don't see a special permission for creating new pages), and then I can grant them permission to edit pages in the category their group is authorized to edit. But I can no longer see the "Menu:Wiki:Create a Wiki Page" option, and I can't figure out how to allow the user to create a new page in that category.
I can edit the group and set the "Default category assigned to uncategorized objects edited by a user with this default group" to the desired category. When I do that, a user in that group now has a "Create a Wiki Page" option show up in the Menu:Wiki sub-menu, but clicking on that does not bring up a new page for editing; instead if just brings up a list of existing wiki pages, without the option to create a new one!
If I create a link to the new page from an existing page, I am unable to edit it in any way. Clicking the link takes me to a page which indicates that the page does not exist, but which does not provide any way to edit it. Putting the title of the page directly in the URL, as in tiki-editpage.php?page=New+Page+Name brings up a "You do not have permission to edit this page" error page. Since any new page created by the user should have the category they have permission to edit, this does not make sense unless the category isn't set until after the initial edit permission check occurs, which creates a catch-22!
How do I let the user create a new page in any of the categories they have permissions to edit in?
If Categories are not the best tool for the task that's okay too. I don't really understand the difference between Categories and Structures with regards to which is better for what I'm trying to accomplish, however it seems Categories are the more "native" feature, which is why I am trying to use them.