How does Bugzilla operate

[Richard Gaskin]

Sarah Reichelt wrote:
>> On Dec 18, 2004 I reported a problem that became bug 2477. I created a 
>> stack that reliably demonstrated the problem and posted it for download.
>>
>> In Rev 2.2.1 I could create a graphic with a script. The technique 
>> worked great in both the development environment and in standalones.
>>
>> In Rev 2.5 the procedure doesn't work.  I rewrote the code so a 
>> graphic with the proper script is clones rather than created. This 
>> revision worked great in the development environment and FAILS in the 
>> standalone.
>
> Hi Burton,
> 
> Checking your example stack, it creates the graphic perfectly, but fails 
> to assign the script to it because you set the stack to be password 
> protected in the standalone settings. I can't understand why creating 
> the graphic worked, but I guess the password protection only applies to 
> scripts.

A bug was introduced in v2.5 while addressing a potential security 
issue:  the clone command should rightfully prevent objects from being 
cloned from a password-protected stack to any other stack, as the 
destination stack may not be password-protected and thus leave any 
script in that object exposed in the new stack.

However this seems to have been addressed with a touch of overkill:  in 
v2.5 the ability to clone objects within a password-protected stack has 
apparently be disabled, as has the ability to clone a password-protected 
stack itself.  Neither of these two circumstances pose a security 
exposure, so the older behavior of allowing the clone should be restored 
for these, while keeping the one case that is an exposure (cloning out 
of a password-protected stack).

These were reported in Bugzilla, and if memory serves were slated to be 
addressed in the next release.  I can't find the Bugzilla item now, so I 
don't know the current status.

--
  Richard Gaskin
  Fourth World Media Corporation
  __________________________________________________
  Rev tools and more: http://www.fourthworld.com/rev