access to milestone documents should be restricted to bug groups

RESOLVED FIXED in Bugzilla 2.16

Status

()

P1
enhancement
RESOLVED FIXED
17 years ago
6 years ago

People

(Reporter: mhw, Assigned: bz)

Tracking

2.14
Bugzilla 2.16

Details

(Reporter)

Description

17 years ago
Bugzilla has an optional bug group facility which restricts access to products
to certain individuals. The milestone document that is related to a product
should also have access to it restricted by the bug groups mechanism, for
installations where visibility of information is important.
The milestone documents can be put wherever you want them, and as they are
most-likely static files, it is impossible for Bugzilla to impose any
restrictions on them (we don't supply anything but a space to put a URL pointing
to them, and they may or may not even be on the same server with Bugzilla). 
That would be up to you to make sure they're in a secure location where only
those who can see them will.

moving to documentation as this is something that probably should be pointed out
in the docs.

timeless says in IRC: "we should recommend that the milestone URL for protected
products should point at an attachment to a bug which is in that product, which
would then give it the same protection"

That solution would work well.  Upload your milestone document as an attachment
to a bug in that product, then point the milstone URL for that product at the
URL to view the attachment.
Assignee: justdave → barnboy
Component: Administration → Documentation
Target Milestone: --- → Bugzilla 2.16
(Reporter)

Comment 2

17 years ago
Y'know, I'd started off thinking that the best way to do this was to have a stub
cgi program to check permissions and then use the templating system to serve up
the actual milestone page, bringing it under bugzilla's control (or at least
giving the option).

But I actually prefer your solution: it works with the system we have already,
and we get an audit trail and simple revision control into the bargain. Perhaps
the only downside is that you need editcomponents privileges to update the link,
but that's not all that serious.
We are currently trying to wrap up Bugzilla 2.16.  We are now close enough to
release time that anything that wasn't already ranked at P1 isn't going to make
the cut.  Thus this is being retargetted at 2.18.  If you strongly disagree with
this retargetting, please comment, however, be aware that we only have about 2
weeks left to review and test anything at this point, and we intend to devote
this time to the remaining bugs that were designated as release blockers.
Target Milestone: Bugzilla 2.16 → Bugzilla 2.18
The docs should always be up-to-date when we release.  Forgot to exclude
Documentation when I mass-retargetted.
Target Milestone: Bugzilla 2.18 → Bugzilla 2.16
Priority: -- → P1
Barnboy changed his email address and opened a new account instead of having the
address changed on his existing one.  Reassigning all docs bugs to his new account.
Assignee: barnboy → mbarnson
I've put this tip in the Milestone Admin section.

Gerv
Status: NEW → RESOLVED
Last Resolved: 17 years ago
Resolution: --- → FIXED
QA Contact: matty_is_a_geek → default-qa
You need to log in before you can comment on or make changes to this bug.