Test and make sure that drafts are accessed only by their creators. Even manipulating URLs should not allow another translator to retrieve it.
Description
Details
Status | Subtype | Assigned | Task | ||
---|---|---|---|---|---|
Resolved | Arrbee | T78377 Manual Testing Scenarios for January 2015 deployment | |||
Resolved | santhosh | T78008 Test and make sure saved translations are accessed only by the creator |
Event Timeline
(posted wrongly in the tracker task earlier)
Currently, when trying to view a draft by using the URL the following happens:
- user can see a broken translation view with emptiness in the source and target columns. Only titles are displayed.
- the page gets saved in the user's dashboard as a draft (which again opens the same broken translation view)
Can this be changed to redirect to the current user's dashboard? Possibly add a warning message saying that they don't have permission to view another user's draft.
Change 182435 had a related patch set uploaded (by Santhosh):
Fetch the translation and drafts of current user alone
Change 182435 merged by jenkins-bot:
Fetch the translation and drafts of current user alone
The current patch doesn't fix the issue and adds regressions.
- Drafts can be accessed by other users, including user's who have not enabled CX as a beta feature.
- No warnings are shown
- The other users can publish the article (directly into the main namespace)
- In case they publish the article, it removes the original draft from the original translator's dashboard and shows up in the list of published articles.
Change 183435 had a related patch set uploaded (by Santhosh):
If wrong draftid passed, take the user to dashboard
Change 183446 had a related patch set uploaded (by Santhosh):
Check if another translator working on same translation
Change 183435 merged by jenkins-bot:
If wrong draftid passed, take the user to dashboard
I merged the patch because it's good progress, but there are still some issues:
- If the user didn't enable the beta feature, the translation interface starts loading and only after that redirects to a "no such special page" error page. This may be worth of a separate task.
- If the beta feature is enabled, the warning is shown for a few seconds and then the user is redirected to the dashboard. It's an improvement, but maybe it's better to show a more stable warning. @Pginer-WMF, what do you think?
Change 183446 merged by jenkins-bot:
Check if another translator working on same translation