2522: Hide inaccessible review requests from "All review requests" list

ppr***@liwja****** (Google Code) (Is this you? Claim this profile.)
Feb. 17, 2014
3267 
What version are you running?

1.6.4.1

What's the URL of the page containing the problem?

reviewboard.domain.org/r/

Please provide any additional information below.

When having private repositories, review requests for those repositories still show in the list of all review requests, even if the user doesn't have access to them. Clicking on one item gets a
"You don't have access to this review request" error.

Review requests which are inaccessible to the user should either not be shown at all, or at least be hideable over a configuration value (though I suppose the first solution would be the proper one)
david
#1 david
  • +Component-Dashboard
#2 lu***@lust***** (Google Code) (Is this you? Claim this profile.) 
I'm going to have to set up a separate reviewboard instance because this functionality is not there.
chipx86
#3 chipx86 
The problem is that there's no one query we can use that returns all the review requests that only your user can see, because the logic is just more complicated than that. In theory, we could fetch them, iterate over, check each one, and not show it if it's not accessible, but then pagination is busted. So.. it's a challenge.
#4 mati*****@gmai***** (Google Code) (Is this you? Claim this profile.) 
This issue forces you to use vague wording in the topic header to avoid disclosing IP. This is unnatural and conflicts with private repository concept. It is a big security hole in the architecture.
david
#5 david 
This is fixed in the latest 1.7.x and 2.0 releases
  • +Fixed
chipx86
#6 chipx86