Bug 1027035

Summary: RFE: Copy to Clipboard button for project source download
Product: [Retired] Zanata Reporter: Damian Jansen <djansen>
Component: UsabilityAssignee: Isaac Rooskov <irooskov>
Status: CLOSED CURRENTRELEASE QA Contact: Zanata-QA Mailling List <zanata-qa>
Severity: low Docs Contact:
Priority: unspecified    
Version: developmentCC: camunoz, damason, dchen, lbrooker, sflaniga, yshao, zanata-bugs
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-03-25 05:58:14 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Damian Jansen 2013-11-05 23:41:43 UTC
Description of problem:
If a project creator adds a link in the Source Download/Checkout field, this link is shown in plain text on the project page

Version-Release number of selected component (if applicable):
3.x

How reproducible:
Easy always

Steps to Reproduce:
1. Sign in, go to Projects->Create Project
2. Enter a valid id and name
3. Enter some url into the Source Download/Checkout field
4. Press Save

Actual results:
The project page shows this url as text

Expected results:
The url should be shown as a link (preferably that opens in a new tab)

Comment 1 David Mason 2013-11-05 23:56:00 UTC
This is intentional. These locators are intended to provide machine-readable content and are likely not to work as a link in a browser. e.g. git:zanata/zanata-server.git

Comment 2 Damian Jansen 2013-11-06 00:01:28 UTC
Was: Project source url is not a link

Text Select -> Copy is a pain, a nice button ala github's copy to clipboard wouldn't displease me.

Comment 3 Carlos Munoz 2013-11-06 00:10:04 UTC
That would require a bit of Flash to have access to the clipboard. Last time I checked there wasn't a Javascript way of doing it for all browsers (but that information may be outdated). Anyway, yes that would be a nice-to-have.

Comment 4 Luke Brooker 2013-11-06 00:15:05 UTC
This area will be redesigned soon (hopefully next release), but we could at least put the source url in a readonly text field that can be selected with one click.

BTW, The field names really should be clearer when entering these, it's way too much cognitive load to work out what exactly the fields are for.

Comment 5 David Mason 2013-11-06 00:25:47 UTC
(In reply to Carlos Munoz from comment #3)
> That would require a bit of Flash to have access to the clipboard. Last time
> I checked there wasn't a Javascript way of doing it for all browsers (but
> that information may be outdated). Anyway, yes that would be a nice-to-have.

Your information is up-to-date, there is a W3C working draft for a JavaScript clipboard API, but that's as far as it has gone at the moment: http://www.w3.org/TR/clipboard-apis/

Comment 6 David Mason 2013-11-06 00:33:01 UTC
Security requires some consideration since we are taking arbitrary text entered by users that is presented for use on the command line (e.g. to be pasted after "git clone " and immediately run. There is potential for malicious commands to be inserted after a legitimate or apparently-legitimate url that could be accidentally run by a user not paying sufficient attention.

e.g. if the field contained: "git:zanata/zanata-server.git ; rm -rf /" a user's hard drive could be cleared if they are not paying attention.

Ideally we would restrict this field to containing known source control URL patterns. At very least we should ensure that all text in this field is always visible so that users cannot copy text that without having an opportunity to see what it is.

Comment 7 Ding-Yi Chen 2013-11-06 00:55:41 UTC
That means max length is required. What will that be?

Comment 8 Sean Flanigan 2013-11-06 04:42:44 UTC
Wait a minute, let's not go too deep into that rabbit hole!

If a developer is pasting random text into a prompt (BTW, "rm -rf /" won't work for a normal user), and then hitting enter without reading the command line, that's not Zanata's fault!

How about we just make sure the text can't contain a newline character?  That way, pasting the string won't initiate any action.

Anything more than that is chrome-plating.  I don't think we should check against known source control URLs at this stage, or we will be fiddling with it forever, adding new source control system and generally wasting time.

Most developers are just going to use the clickable link anyway.  The source control URL is mainly there for us, for possible use in future.

Comment 9 David Mason 2015-03-25 05:58:14 UTC
This appears to have been fixed as part of a UI update.