View Issue Details

IDProjectCategoryView StatusLast Update
0000894Main CAcert WebsiteAudit issuespublic2013-01-15 15:16
ReporterUli60 Assigned ToNEOatNHNG  
PriorityhighSeveritymajorReproducibilityalways
Status closedResolutionfixed 
Fixed in Version2011 Q4 
Summary0000894: problems with check-boxes on website forms (Assure someone) -> a20091118.3
Description(C) dirk
(i would NOT publish this in detail on the wiki until the bug is fixed ... but it's not my decision ... ;-) )

after some assurances where done on openrheinruhr last weekend, i watched alexander b. and joost s. entering the caps into the system.

...

see https://wiki.cacert.org/Arbitrations/a20091118.3
Steps To ReproduceAssure someone
leave checkboxes blang
continue Assurance
Additional InformationRuling

As Martin already wrote in his initial mailing we will be required to work together after this arbitration, so we should maintain a positive and helpful spirit at all times. This especially applies to this case.

I do not see a violation against Assurance Policy. The data submitted to the system has to be checked by the assurer, not the system. It is the assurers obligation to make sure, his assurance conforms to the assurance policy.

Then there is a claim that Philipp G├╝hring violated SP. The violation is dated April 2009. How fix is the date mentioned here? How do we know that the violation took place exactly then. Or could the change have been made earlier and it is just the date the source code was checked in? Nevertheless, SP went into draft and so became binding one week before the mentioned date. Looking at the Software Assessment Project today, there are no working procedures in place to apply software changes one and a half year after that. So this violation might be seen in a grace period before the necessary procedures could be established or the new requirements realised. However, as already done so in a20090810.1 (https://wiki.cacert.org/Arbitrations/a20090810.1) which was after the claimed SP violation happened, Philipp should feel reminded again to follow SP regarding software changes.

Then, there is a bug in the CAcert software. However, it is not the intention of arbitration to have bugs in the CAcert software fixed. Searching bugs.cacert.org did not show any records, regarding this. This might be a private bug which cannot accessed by A or not entered. If not entered, C is now obliged to report the bug using the bug tracking system, not arbitration. Since the bug is misleading for our users and anti-supporting our policies, being an active member of the software team, C is further obliged to get this bug fixed and get the fix applied to the production system with high priority, following the regular update requirements as of SP

Execution

C to document bug at bugs.cacert.org and report back to arbitrator with bug number for documentation. C should fix bug later.
TagsNo tags attached.
Reviewed bydastrath, NEOatNHNG
Test Instructions

Activities

Uli60

2010-11-21 23:44

updater   ~0001792

Problem starts around April / June 2009

Uli60

2011-09-06 21:54

updater   ~0002413

assure someone (wot.php?id=5)
fill form all except setting checkboxes
results in error =>
ERROR: You failed to check all boxes to validate your adherence to the rules and policies of CAcert
CAcert Web of Trust
CAcert.org was designed to be by the community for the community, and instead of placing all the labour on a central authority and in turn increasing the cost of certificates, the idea was to get community in conjunction with this website to have trust maintained in a dispersed and automated manner!
=> ok

1 checkbox set (I believe ...)
results in error message
=> ok

1 checkbox set (I have read ...)
results in error message
=> ok

2 checkboxes set (I believe ... + I have read ...)
Shortly you and the person you were assuring will receive an email confirmation.
=> ok

Uli60

2011-09-06 21:56

updater   ~0002414

only transfer to testserver
not yet reviewed

Uli60

2011-09-24 19:36

updater   ~0002501

!!! to test all other processes starting with wot.php !!!

checked main website - no link with wot.php
login with assurer account (with thawte points + 80 assurance pts)
checked main entry page (after login) - no link with wot.php

walking thru menues
CAcert.org - no links
My Details:
 My Listing - https://cacert1.it-sls.de/wot.php?id=8
 My Location - https://cacert1.it-sls.de/wot.php?id=13
 My Points - https://cacert1.it-sls.de/wot.php?id=10

My Listing - switch from not listed to listed
  Your account information has been updated. => ok
My Location - selecting "Frankfurt am Main, Hessen, Germany" (606058)
  displays "Frankfurt am Main, Hessen, Germany" => ok
  switching to "New York (Bronx), New York, United States"
  displays "New York (Bronx), New York, United States" => ok
  re-switching back to "Frankfurt am Main, Hessen, Germany" => ok
My Points (10.php)
  looks ok => ok
  new calculation (15.php)
  Thawte -> Revoked => ok
  80 more pts (less then 100) => ok
  60 experience pts on hold => ok
  remark: Points on hold due to less assurance points => ok

10.php and 15.php have links to other users
eg -> https://cacert1.it-sls.de/wot.php?id=9&userid=171101
trying to contact "John 1 Doe"
"Sorry, I was unable to locate that user, the person doesn't wish to be contacted, or isn't an assurer. " => ok
contact other assurer -> enter message => ok
results in "Your email has been sent to Ulrich." => ok

Uli60

2011-09-24 19:58

updater   ~0002503

Email Accounts - no links
Client Certs - no links
GPG keys - no links
Domains - no links
Server certs - no links
CAcert Web of Trust
 About -> https://cacert1.it-sls.de/wot.php?id=0
 Find an Assurer -> https://cacert1.it-sls.de/wot.php?id=12
 Rules -> https://cacert1.it-sls.de/wot.php?id=3
 Assure Someone -> https://cacert1.it-sls.de/wot.php?id=5
 Trusted Third Party -> https://cacert1.it-sls.de/wot.php?id=4

About - https://cacert1.it-sls.de/wot.php?id=0
 results in text "CAcert Web of Trust" within webdb (probably needs redirect
 to wiki ?!?) => ok
Find an Assurer -> https://cacert1.it-sls.de/wot.php?id=12
 Search Frankfurt 10km
 3 assurers listed
 "Email me" links to https://cacert1.it-sls.de/wot.php?id=9&userid=170914
 ends in "Your email has been sent to Ulrich." => ok
Rules -> https://cacert1.it-sls.de/wot.php?id=3
 results in text "CAcert Web of Trust Rules" within webdb (probably needs
 redirect to wiki ?!?) => ok
Assure Someone -> https://cacert1.it-sls.de/wot.php?id=5
 search user bug846.user2@wiamail
 all checkboxes unchecked ->
 ERROR: You failed to check all boxes to validate your adherence to the rules
 and policies of CAcert
 => ok
 "I certify .." checked, 2 other checkboxes unchecked ->
 ERROR: You failed to check all boxes to validate your adherence to the rules
 and policies of CAcert
 => ok
 "I believe .." checked, 2 other checkboxes unchecked ->
 ERROR: You failed to check all boxes to validate your adherence to the rules
 and policies of CAcert
 => ok
 "I have read.." checked, 2 other checkboxes unchecked ->
 ERROR: You failed to check all boxes to validate your adherence to the rules
 and policies of CAcert
 => ok

 "I certify.." + "I believe.." checked, "I have read.." unchecked ->
 ERROR: You failed to check all boxes to validate your adherence to the rules
 and policies of CAcert
 => ok
 "I certify.." + "I have read.." checked, "I believe.." unchecked ->
 ERROR: You failed to check all boxes to validate your adherence to the rules
 and policies of CAcert
 => ok
 "I believe.." + "I have read.." checked, "I certify.." unchecked ->
 ERROR: You failed to check all boxes to validate your adherence to the rules
 and policies of CAcert
 => ok

 "I certify.." + "I believe.." + "I have read.." (all 3) checked ->
 finishes assurance with message and new field to enter next assurance:
 "Shortly you and the person you were assuring will receive an email
 confirmation. There is no action on your behalf required to complete this."
 => ok

Trusted Third Party -> https://cacert1.it-sls.de/wot.php?id=4
 switches to text page:
 "Note that the TTP programme is effectively Frozen
 Until a subsidiary policy under AP is written, it is against AP rules."
 within webdb (probably needs redirect to wiki ?!?) => ok

Uli60

2011-09-24 20:00

updater   ~0002504

Menues (cont.)
CAP Forms - no links
Disputes/Abuses - no links
Advertising - no links

Uli60

2011-09-24 20:03

updater   ~0002505

Last edited: 2011-09-24 20:07

View 2 revisions

login with admin account with all admin flags enabled

addtl. menues:
Org Client Certs - no links
Org Server Certs - no links
Org Assurer - no links
System Admin - no links

Summarize (all links starting with wot.php)
My Details:
 My Listing - https://cacert1.it-sls.de/wot.php?id=8
 My Location - https://cacert1.it-sls.de/wot.php?id=13
 My Points - https://cacert1.it-sls.de/wot.php?id=10

 My Points has sublinks
  https://cacert1.it-sls.de/wot.php?id=9&..

CAcert Web of Trust
 About -> https://cacert1.it-sls.de/wot.php?id=0
 Find an Assurer -> https://cacert1.it-sls.de/wot.php?id=12
 Rules -> https://cacert1.it-sls.de/wot.php?id=3
 Assure Someone -> https://cacert1.it-sls.de/wot.php?id=5
 Trusted Third Party -> https://cacert1.it-sls.de/wot.php?id=4

INOPIAE

2011-09-27 09:19

updater   ~0002532

Last edited: 2011-09-27 09:30

View 2 revisions

Assurer someone as admin
I certify empty
I believe empty
I have empty
=> ERROR: You failed to check all boxes to validate your adherence to the rules and policies of CAcert
=>ok

I certify ticked
I believe empty
I have empty
=> ERROR: You failed to check all boxes to validate your adherence to the rules and policies of CAcert
=>ok

I certify empty
I believe ticked
I have empty
=> ERROR: You failed to check all boxes to validate your adherence to the rules and policies of CAcert
=>ok

I certify empty
I believe empty
I have ticked
=> ERROR: You failed to check all boxes to validate your adherence to the rules and policies of CAcert
=>ok

I certify ticked
I believe ticked
I have empty
=> ERROR: You failed to check all boxes to validate your adherence to the rules and policies of CAcert
=>ok

I certify ticked
I believe empty
I have ticked
=> ERROR: You failed to check all boxes to validate your adherence to the rules and policies of CAcert
=>ok

I certify empty
I believe ticked
I have ticked
=> assurance could be entered
=> ok as admin is able to grant points without meeting people eg. TTP

I certify ticked
I believe ticked
I have ticked
=> Assurance could be entered
=>ok

Assurer someone as non admin
I certify empty
I believe empty
I have empty
=> ERROR: You failed to check all boxes to validate your adherence to the rules and policies of CAcert
=>ok

I certify ticked
I believe empty
I have empty
=> ERROR: You failed to check all boxes to validate your adherence to the rules and policies of CAcert
=>ok

I certify empty
I believe ticked
I have empty
=> ERROR: You failed to check all boxes to validate your adherence to the rules and policies of CAcert
=>ok

I certify empty
I believe empty
I have ticked
=> ERROR: You failed to check all boxes to validate your adherence to the rules and policies of CAcert
=>ok

I certify ticked
I believe ticked
I have empty
=> ERROR: You failed to check all boxes to validate your adherence to the rules and policies of CAcert
=>ok

I certify ticked
I believe empty
I have ticked
=> ERROR: You failed to check all boxes to validate your adherence to the rules and policies of CAcert
=>ok

I certify empty
I believe ticked
I have ticked
=> ERROR: You failed to check all boxes to validate your adherence to the rules and policies of CAcert
=> ok

I certify ticked
I believe ticked
I have ticked
=> Assurance could be entered
=>ok

Uli60

2011-09-27 09:31

updater   ~0002533

Last edited: 2011-10-04 12:14

View 2 revisions

assure someone with admin account (200 pts, all admin flags set)
"I believe.." + "I have read.." checked, "I certify.." unchecked ->
 finishes assurance with message and new field to enter next assurance:
 "Shortly you and the person you were assuring will receive an email
 confirmation. There is no action on your behalf required to complete this."
 -> Error / Problem ?
  answer given in meeting 2011-09-24: is used in TTP (no F2F meeting!)
=> ok

assure someone with regular assurer account (150 pts, CATS passed)
"I believe.." + "I have read.." checked, "I certify.." unchecked ->
ERROR: You failed to check all boxes to validate your adherence to the rules
and policies of CAcert
=> ok

Uli60

2011-10-04 12:15

updater   ~0002569

tested by 2 testers
needs 2nd review + deploy to critical team

NEOatNHNG

2011-10-12 14:22

administrator   ~0002594

There is no field to send a reminder on the page after entering an unknown email address. Instead it shows up the next time you go to the Assure someone page.

Uli60

2011-10-18 23:57

updater   ~0002603

fix transfered to cacert-devel 2011-10-18 23:00

Uli60

2011-10-18 23:58

updater   ~0002604

transfered to testserver by NEO

Uli60

2011-10-19 00:03

updater   ~0002605

login as assurer
WoT - assure someone
bug894.test894@wiamail.de
email address not found
displays checkbox "send reminder notice"
lang selection box, setting to german
send reminder
=> ok

login to ca-mgr1 with assurer account - mail
reminder mail not found (email address not avail) => ok

login to not existing email doesn't work under ca-mgr1 => ok

mail sending cannot be verified

NEOatNHNG

2011-10-22 23:00

administrator   ~0002630

0000894:0002605: Mail sending can be verified. Just create an account on the test server with the email address _after_ the reminder should have been send. The mail will show up in the test management system.

NEOatNHNG

2011-10-23 00:39

administrator   ~0002631

I have reviewed the changes and stumbled over some minor issues. I have corrected them and put the corrections on the test server.
Most relevant:
- I have changed how the message "A reminder notice has been sent." is displayed -> needs to be tested whether it works as intended under all circumstances
- If a user hasn't yet verified his account the assurance can't continue (this was also present in the previous code but was not triggered because of assignment instead of comparison)
- "points" still have to be limited otherwise an ordinary user might accumulate more than 150 points which in turn means he can issue more than 35 points

Please rereview the changes I have made and test them.

NEOatNHNG

2011-10-25 21:57

administrator   ~0002646

Dirk has reviewed the patch needs some more testing then it's good to go.

INOPIAE

2011-11-19 08:30

updater   ~0002706

Last edited: 2011-11-19 08:38

View 2 revisions

Assurer someone as admin
I certify empty
I believe empty
I have empty
=> ERROR: You failed to check all boxes to validate your adherence to the rules and policies of CAcert
=>ok

I certify ticked
I believe empty
I have empty
=> ERROR: You failed to check all boxes to validate your adherence to the rules and policies of CAcert
=>ok

I certify empty
I believe ticked
I have empty
=> ERROR: You failed to check all boxes to validate your adherence to the rules and policies of CAcert
=>ok

I certify empty
I believe empty
I have ticked
=> ERROR: You failed to check all boxes to validate your adherence to the rules and policies of CAcert
=>ok

I certify ticked
I believe ticked
I have empty
=> ERROR: You failed to check all boxes to validate your adherence to the rules and policies of CAcert
=>ok

I certify ticked
I believe empty
I have ticked
=> ERROR: You failed to check all boxes to validate your adherence to the rules and policies of CAcert
=>ok

I certify empty
I believe ticked
I have ticked
=> assurance could be entered
=> ok as admin is able to grant points without meeting people eg. TTP

I certify ticked
I believe ticked
I have ticked
=> Assurance could be entered
=>ok

Assurer someone as non admin
I certify empty
I believe empty
I have empty
=> ERROR: You failed to check all boxes to validate your adherence to the rules and policies of CAcert
=>ok

I certify ticked
I believe empty
I have empty
=> ERROR: You failed to check all boxes to validate your adherence to the rules and policies of CAcert
=>ok

I certify empty
I believe ticked
I have empty
=> ERROR: You failed to check all boxes to validate your adherence to the rules and policies of CAcert
=>ok

I certify empty
I believe empty
I have ticked
=> ERROR: You failed to check all boxes to validate your adherence to the rules and policies of CAcert
=>ok

I certify ticked
I believe ticked
I have empty
=> ERROR: You failed to check all boxes to validate your adherence to the rules and policies of CAcert
=>ok

I certify ticked
I believe empty
I have ticked
=> ERROR: You failed to check all boxes to validate your adherence to the rules and policies of CAcert
=>ok

I certify empty
I believe ticked
I have ticked
=> ERROR: You failed to check all boxes to validate your adherence to the rules and policies of CAcert
=> ok

I certify ticked
I believe ticked
I have ticked
=> Assurance could be entered
=>ok

Entering an email adress not in the system =>
Error message, dropdown box for langauage and send button visible => ok

NEOatNHNG

2011-11-30 12:15

administrator   ~0002731

Dirk has added a patch which allows leaving out the Assurance policy check box because that would hinder the reentering of old assurances as needed by 0000827. I have reviewed the changes, they are good to go.

Uli60

2011-11-30 13:41

updater   ~0002732

relating to https://bugs.cacert.org/view_user_page.php?id=635
tests were made and reported by Inopiae within the Software-Assessment project team meeting
https://wiki.cacert.org/Software/Assessment/20111129-S-A-MiniTOP

NEOatNHNG

2011-12-10 17:46

administrator   ~0002740

Patch sent to critical admins.

wytze

2011-12-12 09:55

developer   ~0002743

The fix has been applied to the production server on December 12, 2011.
See also https://lists.cacert.org/wws/arc/cacert-systemlog/2011-12/msg00002.html

Werner Dworak

2012-12-21 05:09

updater   ~0003511

More than 3 month fixed and no complaints

Issue History

Date Modified Username Field Change
2010-11-21 23:40 Uli60 New Issue
2010-11-21 23:42 Uli60 Severity minor => major
2010-11-21 23:42 Uli60 Reproducibility have not tried => always
2010-11-21 23:42 Uli60 Description Updated
2010-11-21 23:42 Uli60 Steps to Reproduce Updated
2010-11-21 23:44 Uli60 Note Added: 0001792
2011-09-06 21:30 NEOatNHNG Source_changeset_attached => cacert-devel master 982471df
2011-09-06 21:40 moh Assigned To => moh
2011-09-06 21:54 Uli60 Note Added: 0002413
2011-09-06 21:56 Uli60 Note Added: 0002414
2011-09-06 21:56 Uli60 Assigned To moh => NEOatNHNG
2011-09-06 21:56 Uli60 Status new => needs review & testing
2011-09-20 22:00 NEOatNHNG Source_changeset_attached => cacert-devel master 63f2e2a4
2011-09-20 22:00 Source_changeset_attached => cacert-devel master 4d67b741
2011-09-20 22:00 Source_changeset_attached => cacert-devel master 7e3b37c7
2011-09-20 22:00 Source_changeset_attached => cacert-devel master 5f396519
2011-09-24 19:36 Uli60 Note Added: 0002501
2011-09-24 19:58 Uli60 Note Added: 0002503
2011-09-24 20:00 Uli60 Note Added: 0002504
2011-09-24 20:03 Uli60 Note Added: 0002505
2011-09-24 20:07 Uli60 Note Edited: 0002505 View Revisions
2011-09-27 09:19 INOPIAE Note Added: 0002532
2011-09-27 09:30 INOPIAE Note Edited: 0002532 View Revisions
2011-09-27 09:31 Uli60 Note Added: 0002533
2011-09-27 23:12 NEOatNHNG Source_changeset_attached => cacert-devel testserver e2cef7bc
2011-10-04 12:14 Uli60 Note Edited: 0002533 View Revisions
2011-10-04 12:15 Uli60 Note Added: 0002569
2011-10-04 12:15 Uli60 Status needs review & testing => ready to deploy
2011-10-11 23:47 Uli60 Priority normal => high
2011-10-12 14:22 NEOatNHNG Note Added: 0002594
2011-10-12 14:22 NEOatNHNG Assigned To NEOatNHNG => egal
2011-10-12 14:22 NEOatNHNG Status ready to deploy => needs work
2011-10-18 21:05 NEOatNHNG Source_changeset_attached => cacert-devel testserver 29f660bd
2011-10-18 21:05 Source_changeset_attached => cacert-devel testserver c35b6629
2011-10-18 23:57 Uli60 Note Added: 0002603
2011-10-18 23:57 Uli60 Status needs work => fix available
2011-10-18 23:58 Uli60 Note Added: 0002604
2011-10-18 23:58 Uli60 Status fix available => needs review & testing
2011-10-19 00:03 Uli60 Note Added: 0002605
2011-10-20 17:56 NEOatNHNG Reviewed by => dastrath
2011-10-20 17:56 NEOatNHNG Assigned To egal => NEOatNHNG
2011-10-22 23:00 NEOatNHNG Note Added: 0002630
2011-10-23 00:25 NEOatNHNG Source_changeset_attached => cacert-devel testserver c9a6be56
2011-10-23 00:25 NEOatNHNG Source_changeset_attached => cacert-devel testserver efe89417
2011-10-23 00:25 NEOatNHNG Source_changeset_attached => cacert-devel testserver 5c12fb42
2011-10-23 00:39 NEOatNHNG Note Added: 0002631
2011-10-23 00:41 NEOatNHNG Reviewed by dastrath => NEOatNHNG
2011-10-23 00:41 NEOatNHNG Assigned To NEOatNHNG => egal
2011-10-25 21:57 NEOatNHNG Note Added: 0002646
2011-10-25 21:57 NEOatNHNG Status needs review & testing => needs testing
2011-10-25 22:04 NEOatNHNG Reviewed by NEOatNHNG => dastrath, NEOatNHNG
2011-11-19 08:30 INOPIAE Note Added: 0002706
2011-11-19 08:38 INOPIAE Note Edited: 0002706 View Revisions
2011-11-29 22:10 NEOatNHNG Source_changeset_attached => cacert-devel testserver f60821f1
2011-11-29 22:10 Source_changeset_attached => cacert-devel testserver 5bcd2df2
2011-11-29 22:10 Source_changeset_attached => cacert-devel testserver 7dd8b7a0
2011-11-29 22:10 Source_changeset_attached => cacert-devel testserver 490f6a8d
2011-11-29 22:10 Source_changeset_attached => cacert-devel testserver ebe60f69
2011-11-30 12:15 NEOatNHNG Note Added: 0002731
2011-11-30 13:41 Uli60 Note Added: 0002732
2011-11-30 13:42 Uli60 Assigned To egal => NEOatNHNG
2011-11-30 13:42 Uli60 Status needs testing => ready to deploy
2011-12-10 17:46 NEOatNHNG Note Added: 0002740
2011-12-12 09:55 wytze Note Added: 0002743
2011-12-12 09:55 wytze Status ready to deploy => solved?
2011-12-12 09:55 wytze Resolution open => fixed
2012-12-21 05:09 Werner Dworak Note Added: 0003511
2012-12-21 05:09 Werner Dworak Status solved? => closed
2013-01-15 15:16 Werner Dworak Fixed in Version => 2011 Q4