1007224 - User auto-completion should take strict_isolation into account

Status: NEW

(Bugzilla :: Creating/Changing Bugs, defect)

Description

[federico.mennite@lifeware.ch]

User Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0 (Beta/Release)
Build ID: 20140421221237

Steps to reproduce:

I've inserted a partial login name while editing the CC list


Actual results:

Every userlogin matching the inserted string was shown.


Expected results:

Userlogins not included in any group associated with the current bug's product shouldn't be shown.

Comment 1

[u430950]

This is expected behavior. If you wish to restrict CC by group, please use the 'strict_isolation' parameter.

Comment 2

[federico.mennite@lifeware.ch]

Although this parameter avoids to assign the user accidentally to the bug it doesn't prevent it from being shown by auto-completion suggestions (seems to be a feature implemented using AJAX).

The suggestion list should IMHO also honor the 'strict_isolation' parameter.

Comment 3

[federico.mennite@lifeware.ch]

The effects on the users using our bug system aren't very nice.
Yes they aren't accidentally able to add users not associated with their product to the CC of a bug but still seeing "foreign users" being suggested as they type, is giving them the wrong feeling that something is wrong with the security of Bugzilla.

Comment 4

[Frédéric Buclin]

This bug is similar to bug 430275, except that this one is about global/userselect.html.tmpl not restricting the user list to those who can be added to the bug due to strict_isolation while bug 430275 is about Bugzilla::User->get_userlist having the same problem.