Status: New
Owner: ----
Labels: Type-Defect Priority-Medium

New issue 820 by It is possible for a user to create multiple  
draft reviews, leading to an unviewable review

*NOTE: Do not post confidential information in this bug report.*

What's the URL of the page containing the problem?
"View diff" page on another user's published review

What steps will reproduce the problem?
1. Comment on multiple lines in the diff
2. Edit some of your comments (by clicking on the comment markers, changing
the text, and hitting Save)
3. Hit "Edit Review" on the green draft-review banner
4. Fill in some review text and change one or more of the comments
5. Hit "Publish Review"

I have not minimized the steps, yet, but I've only just encountered this
recently (and once). It may be necessary to further click on some
just-entered comments and click cancel.

What is the expected output? What do you see instead?
The (single) review I have been composing is published, and an email is  

An email is sent for the review I expected, but the publish action
redirects me to an exception page ('get()' returning multiple rows instead
of 1). The account who just published the review can no longer access that
review (the same exception page shows).

What operating system are you using? What browser?
Ubuntu 8.10 x86_64's Firefox 3.0.5

Please provide any additional information below.
If it matters, there were other reviews (with code references) on an older
diff. I think I did not click on any markers for these older reviews, since
I was reviewing a newer diff with no existing reviews.

Unfortunately, I didn't capture the stack trace.
It is likely easy to reproduce the stack trace: just use the Admin tool to
toggle the 'Public' field to 'false' for at least two reviews from the same
user in the same review request, then try to view the review request as
that user.

The real issue seems to be caused by several factors:
1) get() is used when retrieving a user's draft review(s) for a given
review request,
2) the JSON API and/or the underlying model does not prevent the creation
of multiple (user, review request, non-Public review) sets, and
3) some of the JS in the diff viewer page is (accidentally or
intentionally) trying to create a new review request instead of modifying
the current draft in at least one situation.

If multiple drafts are reasonable, (1) is the only problem, and some GUI
work may be in order.
It seems to me that the real problem is (3).
The existence of (2) allows (3) to violate the model's invariants so that
it becomes impossible for the user to fix it.

If you encounter this (an exception when trying to view a review), either
(1) view it anonymously, or (2) log in as Administrator and find the
offending reviews (either delete them or mark them as Public).

You received this message because you are listed in the owner
or CC fields of this issue, or because you starred this issue.
You may adjust your issue notification preferences at:

You received this message because you are subscribed to the Google Groups 
"reviewboard-issues" group.
To post to this group, send email to
To unsubscribe from this group, send email to
For more options, visit this group at

Reply via email to