[QA] [Ops] Delete button on gerrit

Paladox thomasmulhall410 at yahoo.com
Tue Mar 6 16:18:00 UTC 2018


 Also just tested now, it's because he is an admin. There was no "privilege escalation". I tested by creating a change as an admin, then a user adding a file. And saw no delete button under that user account.
    On Tuesday, 6 March 2018, 16:10:34 GMT, Paladox <thomasmulhall410 at yahoo.com> wrote:  
 
  I've filled this upstream https://bugs.chromium.org/p/gerrit/issues/detail?id=8493 it seems it was me who added this functionality in gerrit https://github.com/GerritCodeReview/gerrit/commit/580ae0e94659dcb09463775b93472be129905949 . 

    On Tuesday, 6 March 2018, 10:02:16 GMT, Jaime Crespo <jcrespo at wikimedia.org> wrote:  
 
 > I suppose if you took control of a change (via adding your patch set to the CR) it would result in you deleting others' changes.

I didn't, I think it was because I was a gerrit admin.

On Tue, Mar 6, 2018 at 1:36 AM, Chad Horohoe <chorohoe at wikimedia.org> wrote:

On Mon, Mar 5, 2018 at 12:01 PM Jaime Crespo <jcrespo at wikimedia.org> wrote:

I just been told there is now a delete button, DON'T USE IT- I just pressed it by mistake after entering in edit mode thinking it was a "discard patch started on web interface" (but it is very easy to pres it by mistake), and apparently it removes the entire CR. I was told by Paladox this is a new feature on gerrit, and I do not like it already. I managed to delete the work of a workmate. :-(

I could restore everthing from the database backups, but as it also deletes the git files content, it doesn't work without it -it cannot be reverted- only text can be recover from the database in not the nicest formatting.

Apologies for the damages caused. Should I file a ticket to propose to disable such a button from the UI?

Sooooo, this is supposed to be "Delete Own Changes" but I suppose if you took control of a change (via adding your patch set to the CR) it would result in you deleting others' changes. That's a *horrible* privilege escalation!
No need for a ticket, I've disabled this.
-Chad



-- 
Jaime Crespo
<http://wikimedia.org>
_______________________________________________
QA mailing list
QA at lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/qa
    
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.wikimedia.org/pipermail/qa/attachments/20180306/f84c232a/attachment.html>


More information about the QA mailing list