Closed
Bug 126801
Opened 22 years ago
Closed 22 years ago
queryhelp.cgi ignores group-permissions - showing ALL products
Categories
(Bugzilla :: Query/Bug List, defect, P1)
Tracking
()
VERIFIED
FIXED
Bugzilla 2.16
People
(Reporter: Daniel.Schwager, Assigned: myk)
References
Details
(Whiteboard: applied to 2.14.2)
Attachments
(3 files)
Hi, if you login to bugzilla as an user without having permissions ( usebuggroups:on, usebuggroupsentry: on) to show specific products, all the products AND components are listed on the help-site http://localhost/bugzilla/queryhelp.cgi This is shown also WITHOUT login to the system !!! It is a security bug ! regards Danny
Comment 1•22 years ago
|
||
-> security group, 2.16 blocker, and reassigning Oops.
Assignee: barnboy → endico
Group: security?
Severity: major → blocker
Component: Documentation → Query/Bug List
Priority: -- → P1
Target Milestone: --- → Bugzilla 2.16
Comment 2•22 years ago
|
||
I disabled http://bugzilla.mozilla.org/queryhelp.cgi by changing the permission on the file to be not executable.
Comment 3•22 years ago
|
||
Does it matter on b.m.o? I didn't know you had hidden products.
Comment 4•22 years ago
|
||
you're right. we don't. i just renabled it.
Comment 5•22 years ago
|
||
ccing netdemon, who wrote this. Should we remove this file? Its descriptions are out of date given the new query ui, and it takes ages to load. Its also really really long and complicated - why should an introductory page for help on querying give a link to edit products if a user has editcomponents? It also hard codes values. If we don't remove it, then the out of date instructions should become a release blocker (as a separate bug)
Comment 6•22 years ago
|
||
I agree that it should be dropped or just be an alternative template for query.cgi. It is dreadfully slow on our site with over 400 components per product.
Comment 7•22 years ago
|
||
Go ahead and drop it for now. I am rewriting the online help system (bug 114179).
Comment 8•22 years ago
|
||
I really like having most of that information in one document. The only thing I dislike is the time it takes to load and the load it puts on the system. I propose the following changes. 1. Remove the keyword counts. That info isn't particularly useful to most users and takes a long time to compute. 2. Change this from a cgi that's run each time each time a user looks at it to a script that's run nightly by cron and output to a flat html file. Installations with secret products could run it by hand when needed and edit out the secret info (or whatever).
Comment 9•22 years ago
|
||
Endico: Is that something that would be reliable for all operating systems and all configurations? What if at the beginning of the day after the first user entered bugzilla, it spawned a process to do this? It could also do this manually if there are any changes to the help system. It would be too bad if this added anymore dependancies to the configuration of Bugzilla. I did find a perl emulation of cron: http://www.megadodo.demon.co.uk/perl/ This could be spawned possibly after the first user enters the system each days. Also, remember that not everyone reboots their system or does a shadow database update each day like b.m.o With this, I believe, bugzilla could have its own built-in task scheduling instead of relying on an outside program. I hope I'm making sense, because I'm not exactly sure on how cron works or how the shadow database works :-) OTOH, I was going to break apart the Bugzilla help system into manageable sections. Would you rather it be in one file? I think this is something we should discuss in the newsgroups.
Comment 10•22 years ago
|
||
Don't worry about what cron is. You don't need to implement it. Just make a script that produces a web page (or multiple ones). Bugzilla administrators can figure out if, when and how to run it. On the other hand, if there's a better proposal for handling help, then fine. I kind of like having things in one place, but that discussion can happen in the news group. In the mean time, doing what i propose would be a fairly easy fix if we're pressed for time.
Comment 11•22 years ago
|
||
I've started a discussion about the best way to do help in Bugzilla in n.p.m.webtools. If people could put their thoughts there, that would be great. Gerv
Comment 12•22 years ago
|
||
So, what are we doing for 2.16?
Comment 13•22 years ago
|
||
For now, I think we should just remove all the generated lists (products, keywords, components).
Comment 14•22 years ago
|
||
there's no point in having this if you're going to remove the generated lists.
Comment 15•22 years ago
|
||
Here's a possible replacement help text which I put together, based on Brian's. If people could review it and tell me if it has the makings of a more helpful replacement, I'd be grateful :-) Gerv
Comment 16•22 years ago
|
||
Looks good Gervase. Endico: We can throw the generated lists back in when we restructure the help system. As for the description about the Bugzilla system, etc that Gervase left out, we can eventually put that back in too. For now, though, this seems like a good temporary fix so we don't have to rush to get the help system produced.
Updated•22 years ago
|
Comment 17•22 years ago
|
||
Comment on attachment 71519 [details]
Possible replacement
r=bbaetz, if the w3c validator is happy with it. Are you going to templatise
it? Its probably not worth it, but it is technically user facing...
Attachment #71519 -
Flags: review+
Comment 18•22 years ago
|
||
It's an HTML page - it's not dynamic. It is its own template :-) Gerv
Comment 19•22 years ago
|
||
Right - I hadn't noticed that the templatising of *.html got pushed off. Are you going to redirect the .cgi to the .html? Then redirect back for 2.18? Just chuck it in a template as is, with a quick wrapper cgi.
Comment 20•22 years ago
|
||
I was planning to replace the link on the query page with a link to the HTML version :-) Also, it's by no means certain that the 2.18 help will be a separate CGI - see discussions in the newsgroup. Gerv
Comment 21•22 years ago
|
||
If any part of it is dynamic, it will be a cgi... I'm mainly concerned about bookmarked links.
Comment 22•22 years ago
|
||
> If any part of it is dynamic, it will be a cgi...
Not if it's part of the query page itself. Well, not a separate CGI, anyway.
Please see the NG discussions.
I'> m mainly concerned about bookmarked links.
To the query page help? :-) I'm not convinced that this is a problem.
Gerv
Comment 23•22 years ago
|
||
The validator loves it (except for the no-charset thing, but all our pages have that, right?) Gerv
Comment 24•22 years ago
|
||
What's wrong with just fixing up the CGI?
Comment 25•22 years ago
|
||
> What's wrong with just fixing up the CGI?
Well, it is based on the text in the CGI. But the reasons it's very different
are that:
- Doing a CGI thing is more work, if we want the user to see exactly the right
stuff they have permissions for
- Doing the CGI thing is less good - all that dynamic stuff merely confuses. One
user rightly complained to me "All I want to do is search for duplicates. Why do
I have to read 40 pages of 'help' first?" There is an order of magnitude too
much stuff in the old help.
I believe my replacement is the right way to go in the period before we get the
proper help system in place, as outlined in the newsgroup.
Gerv
Assignee | ||
Comment 26•22 years ago
|
||
There's no agreement on what to do with the page, so we should do the simple thing now and figure out the rest after 2.16. This patch does the same thing query.cgi does before displaying a product to a user.
Comment 27•22 years ago
|
||
reassign to patch author. Also letting the bot see updates on it.
Assignee: endico → myk
Comment 28•22 years ago
|
||
Comment on attachment 77127 [details] [diff] [review] patch: checks permissions before displaying product r= justdave
Attachment #77127 -
Flags: review+
Comment 29•22 years ago
|
||
The only person who has expressed concerns about the new version is MattyT. I believe I've answered those. Is anyone actually arguing that (on b.m.o particularly, but generally) the old version is actually more helpful to any sort of user than the new one? If no-one wants to stand up and say that, we should check mine in. If someone wants to make a case for the old one, we can check Myk's in, and argue about it later. Gerv
Assignee | ||
Comment 30•22 years ago
|
||
>Is anyone actually arguing that (on b.m.o particularly, but generally) the old >version is actually more helpful to any sort of user than the new one? Yes, Dawn is in comment 8, so let's check in the patch and argue about the file as a whole later.
Comment 31•22 years ago
|
||
i second myk's motion.
Comment 32•22 years ago
|
||
Comment on attachment 77127 [details] [diff] [review] patch: checks permissions before displaying product <shrug>. OK. r=gerv, then. Gerv
Attachment #77127 -
Flags: review+
Comment 33•22 years ago
|
||
*** Bug 130131 has been marked as a duplicate of this bug. ***
Comment 34•22 years ago
|
||
Can someone mark the dupe confidential? Gerv
Assignee | ||
Comment 35•22 years ago
|
||
Checking in queryhelp.cgi; /cvsroot/mozilla/webtools/bugzilla/queryhelp.cgi,v <-- queryhelp.cgi new revision: 1.9; previous revision: 1.8 done rlog: /cvsroot/mozilla/webtools/bugzilla/queryhelp.cgi,v:21: missing ';' after 'symbols' rlog aborted
Status: NEW → RESOLVED
Closed: 22 years ago
Resolution: --- → FIXED
Comment 36•22 years ago
|
||
> rlog: /cvsroot/mozilla/webtools/bugzilla/queryhelp.cgi,v:21: missing ';' after 'symbols' > rlog aborted Um, what?? bonsai doesn't seem to have picked up the actual diff either, although it was commited to cvs.
Comment 37•22 years ago
|
||
munging ccs
Comment 38•22 years ago
|
||
easy short patch!
Comment 39•22 years ago
|
||
Comment on attachment 83023 [details] [diff] [review] Backported patch for BUGZILLA-2_14_1-BRANCH 2xr=gerv. Gerv
Attachment #83023 -
Flags: review+
Comment 40•22 years ago
|
||
Checked in on BUGZILLA-2_14_1-BRANCH.
Updated•22 years ago
|
Whiteboard: applied to 2.14.2
Comment 41•22 years ago
|
||
Adding representatives of the packagers to bugs that are going into the Bugzilla 2.14.2 security update
Comment 42•22 years ago
|
||
moving secure bugzilla/webtools bugs from mozilla security group to the new bugzilla security group.
Group: security? → webtools-security?
Updated•11 years ago
|
QA Contact: matty_is_a_geek → default-qa
You need to log in
before you can comment on or make changes to this bug.
Description
•