Conversation
🔴 Risk threshold exceeded.This pull request modifies sensitive template files (dojo/templates/dojo/groups.html and dojo/templates/dojo/view_group.html); the scanner flags these as sensitive edits and notes that allowed paths/authors can be configured in .dryrunsecurity.yaml. Review these changes carefully to ensure they are intended and comply with your repository's security policies.
🔴 Configured Codepaths Edit in
|
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/templates/dojo/view_group.html (drs_aa8e483a)
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
We've notified @mtesauro.
Comment to provide feedback on these findings.
Report false positive: @dryrunsecurity fp [FINDING ID] [FEEDBACK]
Report low-impact: @dryrunsecurity nit [FINDING ID] [FEEDBACK]
Example: @dryrunsecurity fp drs_90eda195 This code is not user-facing
All finding details can be found in the DryRun Security Dashboard.
|
Btw I've added this as a label rather than a new column/form field as I guess it's not very meaningful for most people (as it wasn't asked before), so it doesn't take any visual space if social groups are not used |
3 participants
Description
When groups are synchronized with a social provider (that supports it), group.social_provider is set.
There is no way to set it manually nor any other scenario that sets it.
There's no visual indiciation in the UI of a group that was created (and is maitained) by a social provider integration and a group that was created manually (exists only in Dojo / local).
This is missed as social groups should not be modified as (most) changes will be overwritten and it's good to be able to spot them besides the name prefix of the configuration.
Test results