Security issues (bug & suggestions)

This forum is now locked, since Gold Support is no longer offered.

Moderator: SourceGear

Locked
luther_miller
Posts: 56
Joined: Wed Apr 28, 2004 3:28 pm
Location: San Francisco, CA
Contact:

Security issues (bug & suggestions)

Post by luther_miller » Wed Nov 22, 2006 4:34 pm

There is a bug when you open the "Security..." window for a user using the Admin tool (currently using 3.5.1, but this bug seems to be in most versions).
If you use the arrows keys and space bar to scroll through and toggle Repository Access on and off, then close and open back up, the settings that you chose are no longer the settings that are selected. It works fine with the mouse however.

Background:
We are a consulting company and currently have 21 Vault users who work on different projects. We have dozens of repositories. We grant access to users only to those repositories for projects they are involved with. Security is extremely important to us and our clients.

I believe you have the same bug when you view a reposiory and grant access to users.

I reported this years ago in an older version and I think it was fixed at one point but it has cropped back up.

Suggestions:

1. Please fix the above bugs - scrolling and clicking with the mouse through dozens of repositories is painful.

2. Please show more than three repositories in Repository Access list. Without even redesigning the form you obviously have room for a couple more. It would be great if I could resize the windows to see more or if this list popped up in its own windows so I could see more.

3. Please change the defaults for a new user so that they have access to NO REPOSITORIES when the user is created. I would rather err on the safe side and be forced to grant access.

4. Please change the defaults for a new repository to grant access to NO USERS. I would rather err on the safe side and be forced to add users rather than accidentally give access to a user that shouldn't have it.

I think that these security considerations are very important. If you have other users that disagree, then at least provide an option to default users and repositories to no access.

Thanks
-Luther

Beth
Posts: 8550
Joined: Wed Jun 21, 2006 8:24 pm
Location: SourceGear
Contact:

Post by Beth » Wed Nov 22, 2006 5:04 pm

Thanks for the feedback. I will look into this and post back again.

luther_miller
Posts: 56
Joined: Wed Apr 28, 2004 3:28 pm
Location: San Francisco, CA
Contact:

SECURITY ISSUES

Post by luther_miller » Tue Jan 30, 2007 5:41 pm

Could someone please update me on this issue?

We would REALLY like to see this fixed (the UI bug) as well as have an option to default new Users and new Repositories to have access to nothing. We work on many project for many clients and also give contracts and clients access to repositories, and we do not want to mistakenly give the people access to the wrong repositories. This is very important to us and it keeps coming up again and again over here.

lbauer
Posts: 9736
Joined: Tue Dec 16, 2003 1:25 pm
Location: SourceGear

Post by lbauer » Tue Jan 30, 2007 5:46 pm

It looks like this is scheduled for Vault 4.0, due out later this year.
Linda Bauer
SourceGear
Technical Support Manager

luther_miller
Posts: 56
Joined: Wed Apr 28, 2004 3:28 pm
Location: San Francisco, CA
Contact:

What about the UI bugs?

Post by luther_miller » Tue Jan 30, 2007 5:48 pm

At the very least, will at least the UI bugs be fixed with 3.5.2?

We can't use the keyboard to select and unselect repositories or users in the security windows. It appears to work, but when you save and re-open, they are all wrong. You have to use the mouse, which is not very efficient when you have a long list (as we do). This was reporting many many versions ago and was fixed at one point; not sure when it broke again, but is broken in the current versions.

lbauer
Posts: 9736
Joined: Tue Dec 16, 2003 1:25 pm
Location: SourceGear

Post by lbauer » Tue Jan 30, 2007 6:07 pm

Admins will have the option to set the default to NO repository access for Vault 4.0.

In addition we are totally redesigning the Admin Tool -- I believe it will be a web-based client. I'll log a bug to reference this post so that these design issues will be looked at. But it could just be a moot point since the interface will be substantially changed.

We'll take a look at what it would take to change the 3.5.1 Admin Tool. However, given the other priorities for 3.5.2. We wouldn't want to invest too much development time for features with a product life of a few months.
Linda Bauer
SourceGear
Technical Support Manager

luther_miller
Posts: 56
Joined: Wed Apr 28, 2004 3:28 pm
Location: San Francisco, CA
Contact:

bug in the UI

Post by luther_miller » Tue Jan 30, 2007 6:11 pm

If I recall from the last time, the bug with the keyboard not working is that the wrong index was being used in an event to toggle the checkboxes on and off so hopefully it is a really easy fix for the UI that would help greatly with security...

Thanks - of course, looking forward to any improvements in 4.0 also, but this is a real pain point in the current version for us.

lbauer
Posts: 9736
Joined: Tue Dec 16, 2003 1:25 pm
Location: SourceGear

Post by lbauer » Wed Jan 31, 2007 9:55 am

Ok, I'll consult with our product manager on this.
Linda Bauer
SourceGear
Technical Support Manager

lbauer
Posts: 9736
Joined: Tue Dec 16, 2003 1:25 pm
Location: SourceGear

Post by lbauer » Wed Jan 31, 2007 10:33 am

I've changed the milestone for this to Vault 3.5.2 and upped the priority.
Linda Bauer
SourceGear
Technical Support Manager

jclausius
Posts: 3706
Joined: Tue Dec 16, 2003 1:17 pm
Location: SourceGear
Contact:

Re: What about the UI bugs?

Post by jclausius » Thu Feb 01, 2007 9:56 am

luther_miller wrote:At the very least, will at least the UI bugs be fixed with 3.5.2?

We can't use the keyboard to select and unselect repositories or users in the security windows. It appears to work, but when you save and re-open, they are all wrong. You have to use the mouse, which is not very efficient when you have a long list (as we do). This was reporting many many versions ago and was fixed at one point; not sure when it broke again, but is broken in the current versions.
Luther:

I'm investigating this issue for Vault 3.5.2. We'll make sure everything does work correctly.

In the scenario you describe for a lot of users, it might be a lot easier to grant/deny rights to a repository for ALL users in one dialog. Have you tried to change User repository access from the properties of the Repository?
Jeff Clausius
SourceGear

luther_miller
Posts: 56
Joined: Wed Apr 28, 2004 3:28 pm
Location: San Francisco, CA
Contact:

security...

Post by luther_miller » Thu Feb 01, 2007 11:09 am

Thanks for working to get this in 3.5.2.

Jeff - I'm not sure I understand what options you are referring to. On the Repositories tab, I select a Repository that was recently added and click Properties and then click on Repository Access. We have a long list of users, and the easiest way to scroll through the list and toggle most of the checkboxes off is with the keyboard (which is what doesn't work when you save and open it back up), so we have to do it with the mouse. Even worse we have to remember to uncheck "Show Only Active Users".. otherwise if we re-activate someone, say a contractor, it turns out we have given them access to a bunch of new repositories by accident. Your message implies there may be an easier way to do this that I missed. Could you be more specific? Thanks!
-Luther

jclausius
Posts: 3706
Joined: Tue Dec 16, 2003 1:17 pm
Location: SourceGear
Contact:

Post by jclausius » Thu Feb 01, 2007 1:15 pm

Luther:

Can you describe the original bug? The one I have listed is the following:

Within the Admin Tool:
- Choose the user's tab.
- Highlight a User and then click Security

Feature Request -
- Make the list of repositories bigger (only shows 3 repositories)

Bug -
- When using the keyboard (up/down on keyboard) using spacebar to toggle the checkbox, and clicking OK - the saved list of accessible repositories are not correct.


Can you describe the bug you are seeing?
Jeff Clausius
SourceGear

luther_miller
Posts: 56
Joined: Wed Apr 28, 2004 3:28 pm
Location: San Francisco, CA
Contact:

the same bug on two screens

Post by luther_miller » Thu Feb 01, 2007 3:07 pm

1. In the admin tool, Repositories tab, select a repository and then Security, in the repository access tab, use the keyboard to scroll and check/uncheck repositories; save and open back up, and the wrong ones were checked/unchecked. If you use the mouse instead of the keyboard, it works correctly.

2. In the admin tool, Users tab, select a user, click on security, (yes, why are there only 3 repositories in display?), in the Respository Access window use the keyboard to scroll through and check/uncheck repositories, save and re-open, the wrong ones are checked. If you use the mouse it works properly.

Whenever we add a new User we have to remove access to most repositories. Whenever we add a new repository we have to remove access to most users (active and inactive). As a consulting company with full time employees, contractors, and various client projects, we have to do this often.

jclausius
Posts: 3706
Joined: Tue Dec 16, 2003 1:17 pm
Location: SourceGear
Contact:

Post by jclausius » Thu Feb 01, 2007 3:51 pm

OK. Thanks for the descriptions. I'll make sure the bug covers both locations.
Jeff Clausius
SourceGear

Locked