Mathieu Roy wrote:
Sylvain Beucler <[EMAIL PROTECTED]> tapota :
> The change is not very hard (attached). I used the field
> description: "Email address of the person who submitted the item
> (if different from the submitter field, add address to CC list)" -
> so I did not made the checkbox I mentioned (of course, this is not
> because such a feature is tedious to implement). If it ok I will
> commit it.
>
> However, I do have to test whether the user did not fake the form:
> he could use a custom form to set the originator mail field. I
> could also set the "assigned to" field using this method. I think
> we should add this check for all fields when creating the tracker
> item.
Hum, users asked to be specifically able to have preformatted
entries. For instance, some software include in their interface a
link to their bug tracker prefilling some fields (like system or
whatever). I think it is safe and handy ; in the case of the email
adress, we'll still have the risk of spamming people.
No, I said that people could send requests (eg using an edited HTML
form or curl) that sets fields they should not be able to set.
"Assigned to" can only be set by trackers admins, not by an anonymous
user. However, I could set it as anonymous using a modified HTML form.
Btw, I forgot to replace $_POST by $_REQUEST in the code. This is
unrelated but it prevents the preformated GET requests you mention.
I think that I remember know why we decided not to link the
originator email to notification :)
In fact, the point was : if someone wants to be notified, he has to
create an account. He can leave his address if he wants but that's
not the preferred way - if we allow non logged in user to generate
CC, we allow spam in some way.
As I wrote in my precedent mail, I think the 'spam risk' is very low
(did you read that one? I actually posted 2 different replies).
In my case, I needed that feature. It is usefull when people only
report one bug and don't need to create an account, and when they post
a support request to recover their account.
I think projects admins who do not want such a feature can add a custom
field with the same name "Originator Email", but that one won't have
the special ability to add its contents to the CC list.
So the point is now: how comes that even I forgot about that. I
should definitely be wrote down and explained to users. What is the
content of the infobubble of the field?
Just wrote it :)
> The change is not very hard (attached). I used the field
> description: "Email address of the person who submitted the item
> (if different from the submitter field, add address to CC list)"
--
Sylvain
