Last Comment Bug 126801 - queryhelp.cgi ignores group-permissions - showing ALL products
: queryhelp.cgi ignores group-permissions - showing ALL products
Status: VERIFIED FIXED
applied to 2.14.2
:
Product: Bugzilla
Classification: Server Software
Component: Query/Bug List (show other bugs)
: 2.14.1
: x86 Linux
: P1 blocker (vote)
: Bugzilla 2.16
Assigned To: Myk Melez [:myk] [@mykmelez]
: default-qa
Mentors:
: 130131 (view as bug list)
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2002-02-20 14:27 PST by Daniel Schwager
Modified: 2012-12-18 20:46 PST (History)
15 users (show)
See Also:
QA Whiteboard:
Iteration: ---
Points: ---


Attachments
Possible replacement (7.47 KB, text/html)
2002-02-26 11:50 PST, Gervase Markham [:gerv]
bbaetz: review+
Details
patch: checks permissions before displaying product (561 bytes, patch)
2002-04-01 16:10 PST, Myk Melez [:myk] [@mykmelez]
justdave: review+
gerv: review+
Details | Diff | Splinter Review
Backported patch for BUGZILLA-2_14_1-BRANCH (527 bytes, patch)
2002-05-10 03:06 PDT, J. Paul Reed [:preed]
gerv: review+
gerv: review+
Details | Diff | Splinter Review

Description Daniel Schwager 2002-02-20 14:27:09 PST
Hi,

if you login to bugzilla as an user without having permissions (
usebuggroups:on, usebuggroupsentry: on) to show specific products,
all the products AND components are listed on the help-site
http://localhost/bugzilla/queryhelp.cgi 

This is shown also WITHOUT login to the system !!! It is
a security bug !

regards

Danny
Comment 1 Bradley Baetz (:bbaetz) 2002-02-20 14:42:40 PST
-> security group, 2.16 blocker, and reassigning

Oops.
Comment 2 Dawn Endico 2002-02-20 15:08:54 PST
I disabled http://bugzilla.mozilla.org/queryhelp.cgi by changing the 
permission on the file to be not executable.
Comment 3 Dave Miller [:justdave] (justdave@bugzilla.org) 2002-02-20 16:13:25 PST
Does it matter on b.m.o?  I didn't know you had hidden products.
Comment 4 Dawn Endico 2002-02-20 16:52:02 PST
you're right. we don't. i just renabled it.
Comment 5 Bradley Baetz (:bbaetz) 2002-02-20 21:13:22 PST
ccing netdemon, who wrote this.

Should we remove this file? Its descriptions are out of date given the new query
ui, and it takes ages to load.

Its also really really long and complicated - why should an introductory page
for help on querying give a link to edit products if a user has editcomponents?
It also hard codes values.

If we don't remove it, then the out of date instructions should become a release
blocker (as a separate bug)
Comment 6 David Lawrence [:dkl] 2002-02-21 07:20:43 PST
I agree that it should be dropped or just be an alternative template for query.cgi.
It is dreadfully slow on our site with over 400 components per product.
Comment 7 Brian 'netdragon' Bober 2002-02-21 17:11:02 PST
Go ahead and drop it for now. I am rewriting the online help system (bug 114179).
Comment 8 Dawn Endico 2002-02-21 17:52:08 PST
I really like having most of that information in one document. The only thing
I dislike is the time it takes to load and the load it puts on the system.

I propose the following changes.

1. Remove the keyword counts. That info isn't particularly useful to
   most users and takes a long time to compute.
2. Change this from a cgi that's run each time each time a user
   looks at it to a script that's run nightly by cron and output to
   a flat html file. Installations with secret products could run it
   by hand when needed and edit out the secret info (or whatever).
Comment 9 Brian 'netdragon' Bober 2002-02-21 18:30:58 PST
Endico: Is that something that would be reliable for all operating systems and
all configurations? What if at the beginning of the day after the first user
entered bugzilla, it spawned a process to do this? It could also do this
manually if there are any changes to the help system.

It would be too bad if this added anymore dependancies to the configuration of
Bugzilla. I did find a perl emulation of cron: http://www.megadodo.demon.co.uk/perl/
This could be spawned possibly after the first user enters the system each days.
Also, remember that not everyone reboots their system or does a shadow database
update each day like b.m.o

With this, I believe, bugzilla could have its own built-in task scheduling
instead of relying on an outside program. 

I hope I'm making sense, because I'm not exactly sure on how cron works or how
the shadow database works :-)

OTOH, I was going to break apart the Bugzilla help system into manageable
sections. Would you rather it be in one file? I think this is something we
should discuss in the newsgroups.
Comment 10 Dawn Endico 2002-02-21 20:23:38 PST
Don't worry about what cron is. You don't need to implement it.
Just make a script that produces a web page (or multiple ones).
Bugzilla administrators can figure out if, when and how to run it.

On the other hand, if there's a better proposal for handling
help, then fine. I kind of like having things in one place, but
that discussion can happen in the news group. In the mean time,
doing what i propose would be a fairly easy fix if we're pressed
for time.
Comment 11 Gervase Markham [:gerv] 2002-02-23 02:19:43 PST
I've started a discussion about the best way to do help in Bugzilla in
n.p.m.webtools. If people could put their thoughts there, that would be great.

Gerv
Comment 12 Bradley Baetz (:bbaetz) 2002-02-23 20:25:31 PST
So, what are we doing for 2.16?
Comment 13 Brian 'netdragon' Bober 2002-02-25 19:45:26 PST
For now, I think we should just remove all the generated lists (products,
keywords, components).
Comment 14 Dawn Endico 2002-02-25 20:09:36 PST
there's no  point in  having this if you're going to remove the generated
lists.
Comment 15 Gervase Markham [:gerv] 2002-02-26 11:50:54 PST
Created attachment 71519 [details]
Possible replacement

Here's a possible replacement help text which I put together, based on Brian's.
If people could review it and tell me if it has the makings of a more helpful
replacement, I'd be grateful :-)

Gerv
Comment 16 Brian 'netdragon' Bober 2002-02-27 12:56:43 PST
Looks good Gervase. Endico: We can throw the generated lists back in when we
restructure the help system. As for the description about the Bugzilla system,
etc that Gervase left out, we can eventually put that back in too. For now,
though, this seems like a good temporary fix so we don't have to rush to get the
help system produced.

Comment 17 Bradley Baetz (:bbaetz) 2002-03-02 15:11:44 PST
Comment on attachment 71519 [details]
Possible replacement

r=bbaetz, if the w3c validator is happy with it. Are you going to templatise 
it? Its probably not worth it, but it is technically user facing...
Comment 18 Gervase Markham [:gerv] 2002-03-03 10:14:05 PST
It's an HTML page - it's not dynamic. It is its own template :-)

Gerv
Comment 19 Bradley Baetz (:bbaetz) 2002-03-03 14:35:56 PST
Right - I hadn't noticed that the templatising of *.html got pushed off. Are you
going to redirect the .cgi to the .html? Then redirect back for 2.18? Just chuck
it in a template as is, with a quick wrapper cgi.
Comment 20 Gervase Markham [:gerv] 2002-03-03 15:53:59 PST
I was planning to replace the link on the query page with a link to the HTML
version :-)

Also, it's by no means certain that the 2.18 help will be a separate CGI - see
discussions in the newsgroup.

Gerv
Comment 21 Bradley Baetz (:bbaetz) 2002-03-03 16:31:28 PST
If any part of it is dynamic, it will be a cgi...

I'm mainly concerned about bookmarked links.
Comment 22 Gervase Markham [:gerv] 2002-03-04 00:24:47 PST
> If any part of it is dynamic, it will be a cgi...

Not if it's part of the query page itself. Well, not a separate CGI, anyway.
Please see the NG discussions.

I'> m mainly concerned about bookmarked links.

To the query page help? :-) I'm not convinced that this is a problem.

Gerv

Comment 23 Gervase Markham [:gerv] 2002-03-06 12:09:02 PST
The validator loves it (except for the no-charset thing, but all our pages have
that, right?)

Gerv
Comment 24 Matthew Tuck [:CodeMachine] 2002-03-13 17:54:13 PST
What's wrong with just fixing up the CGI?
Comment 25 Gervase Markham [:gerv] 2002-03-14 01:15:35 PST
> What's wrong with just fixing up the CGI?

Well, it is based on the text in the CGI. But the reasons it's very different
are that:

- Doing a CGI thing is more work, if we want the user to see exactly the right
stuff they have permissions for
- Doing the CGI thing is less good - all that dynamic stuff merely confuses. One
user rightly complained to me "All I want to do is search for duplicates. Why do
I have to read 40 pages of 'help' first?" There is an order of magnitude too
much stuff in the old help.

I believe my replacement is the right way to go in the period before we get the
proper help system in place, as outlined in the newsgroup.

Gerv
Comment 26 Myk Melez [:myk] [@mykmelez] 2002-04-01 16:10:36 PST
Created attachment 77127 [details] [diff] [review]
patch: checks permissions before displaying product

There's no agreement on what to do with the page, so we should do the simple
thing now and figure out the rest after 2.16.  This patch does the same thing
query.cgi does before displaying a product to a user.
Comment 27 Dave Miller [:justdave] (justdave@bugzilla.org) 2002-04-01 17:24:51 PST
reassign to patch author.  Also letting the bot see updates on it.
Comment 28 Dave Miller [:justdave] (justdave@bugzilla.org) 2002-04-01 17:26:20 PST
Comment on attachment 77127 [details] [diff] [review]
patch: checks permissions before displaying product

r= justdave
Comment 29 Gervase Markham [:gerv] 2002-04-02 08:07:19 PST
The only person who has expressed concerns about the new version is MattyT. I
believe I've answered those.

Is anyone actually arguing that (on b.m.o particularly, but generally) the old
version is actually more helpful to any sort of user than the new one?

If no-one wants to stand up and say that, we should check mine in. If someone
wants to make a case for the old one, we can check Myk's in, and argue about it
later.

Gerv
Comment 30 Myk Melez [:myk] [@mykmelez] 2002-04-02 12:56:09 PST
>Is anyone actually arguing that (on b.m.o particularly, but generally) the old
>version is actually more helpful to any sort of user than the new one?

Yes, Dawn is in comment 8, so let's check in the patch and argue about the file
as a whole later.
Comment 31 Dawn Endico 2002-04-02 13:05:18 PST
i second myk's motion.
Comment 32 Gervase Markham [:gerv] 2002-04-02 13:19:32 PST
Comment on attachment 77127 [details] [diff] [review]
patch: checks permissions before displaying product

<shrug>. OK. r=gerv, then.

Gerv
Comment 33 Gervase Markham [:gerv] 2002-04-02 14:10:38 PST
*** Bug 130131 has been marked as a duplicate of this bug. ***
Comment 34 Gervase Markham [:gerv] 2002-04-02 14:21:21 PST
Can someone mark the dupe confidential?

Gerv
Comment 35 Myk Melez [:myk] [@mykmelez] 2002-04-03 12:28:36 PST
Checking in queryhelp.cgi;
/cvsroot/mozilla/webtools/bugzilla/queryhelp.cgi,v  <--  queryhelp.cgi
new revision: 1.9; previous revision: 1.8
done
rlog: /cvsroot/mozilla/webtools/bugzilla/queryhelp.cgi,v:21: missing ';' after
'symbols'
rlog aborted
Comment 36 Bradley Baetz (:bbaetz) 2002-04-03 15:23:53 PST
> rlog: /cvsroot/mozilla/webtools/bugzilla/queryhelp.cgi,v:21: missing ';' after
'symbols'
> rlog aborted

Um, what??

bonsai doesn't seem to have picked up the actual diff either, although it was
commited to cvs.
Comment 37 Dave Miller [:justdave] (justdave@bugzilla.org) 2002-05-08 21:52:56 PDT
munging ccs
Comment 38 J. Paul Reed [:preed] 2002-05-10 03:06:57 PDT
Created attachment 83023 [details] [diff] [review]
Backported patch for BUGZILLA-2_14_1-BRANCH

easy short patch!
Comment 39 Gervase Markham [:gerv] 2002-05-11 02:21:15 PDT
Comment on attachment 83023 [details] [diff] [review]
Backported patch for BUGZILLA-2_14_1-BRANCH

2xr=gerv.

Gerv
Comment 40 J. Paul Reed [:preed] 2002-05-11 03:11:23 PDT
Checked in on BUGZILLA-2_14_1-BRANCH.
Comment 41 Dave Miller [:justdave] (justdave@bugzilla.org) 2002-05-12 09:12:05 PDT
Adding representatives of the packagers to bugs that are going into the
Bugzilla 2.14.2 security update
Comment 42 Bradley Baetz (:bbaetz) 2002-05-15 22:30:08 PDT
moving secure bugzilla/webtools bugs from mozilla security group to the new
bugzilla security group.
Comment 43 Dave Miller [:justdave] (justdave@bugzilla.org) 2002-06-08 00:01:15 PDT
2.14.2 is out, removing security group.
Comment 44 Brian 'netdragon' Bober 2002-09-23 22:57:28 PDT
vrfy

Note You need to log in before you can comment on or make changes to this bug.