Last Comment Bug 126801 - queryhelp.cgi ignores group-permissions - showing ALL products
: queryhelp.cgi ignores group-permissions - showing ALL products
Status: VERIFIED FIXED
applied to 2.14.2
:
Product: Bugzilla
Classification: Server Software
Component: Query/Bug List (show other bugs)
: 2.14.1
: x86 Linux
P1 blocker (vote)
: Bugzilla 2.16
Assigned To: Myk Melez [:myk] [@mykmelez]
: default-qa
:
Mentors:
: 130131 (view as bug list)
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2002-02-20 14:27 PST by Daniel Schwager
Modified: 2012-12-18 20:46 PST (History)
15 users (show)
See Also:
QA Whiteboard:
Iteration: ---
Points: ---


Attachments
Possible replacement (7.47 KB, text/html)
2002-02-26 11:50 PST, Gervase Markham [:gerv]
bbaetz: review+
Details
patch: checks permissions before displaying product (561 bytes, patch)
2002-04-01 16:10 PST, Myk Melez [:myk] [@mykmelez]
justdave: review+
gerv: review+
Details | Diff | Splinter Review
Backported patch for BUGZILLA-2_14_1-BRANCH (527 bytes, patch)
2002-05-10 03:06 PDT, J. Paul Reed [:preed]
gerv: review+
gerv: review+
Details | Diff | Splinter Review

Description User image Daniel Schwager 2002-02-20 14:27:09 PST
Hi,

if you login to bugzilla as an user without having permissions (
usebuggroups:on, usebuggroupsentry: on) to show specific products,
all the products AND components are listed on the help-site
http://localhost/bugzilla/queryhelp.cgi 

This is shown also WITHOUT login to the system !!! It is
a security bug !

regards

Danny
Comment 1 User image Bradley Baetz (:bbaetz) 2002-02-20 14:42:40 PST
-> security group, 2.16 blocker, and reassigning

Oops.
Comment 2 User image Dawn Endico 2002-02-20 15:08:54 PST
I disabled http://bugzilla.mozilla.org/queryhelp.cgi by changing the 
permission on the file to be not executable.
Comment 3 User image Dave Miller [:justdave] (justdave@bugzilla.org) 2002-02-20 16:13:25 PST
Does it matter on b.m.o?  I didn't know you had hidden products.
Comment 4 User image Dawn Endico 2002-02-20 16:52:02 PST
you're right. we don't. i just renabled it.
Comment 5 User image Bradley Baetz (:bbaetz) 2002-02-20 21:13:22 PST
ccing netdemon, who wrote this.

Should we remove this file? Its descriptions are out of date given the new query
ui, and it takes ages to load.

Its also really really long and complicated - why should an introductory page
for help on querying give a link to edit products if a user has editcomponents?
It also hard codes values.

If we don't remove it, then the out of date instructions should become a release
blocker (as a separate bug)
Comment 6 User image David Lawrence [:dkl] 2002-02-21 07:20:43 PST
I agree that it should be dropped or just be an alternative template for query.cgi.
It is dreadfully slow on our site with over 400 components per product.
Comment 7 User image Brian 'netdragon' Bober 2002-02-21 17:11:02 PST
Go ahead and drop it for now. I am rewriting the online help system (bug 114179).
Comment 8 User image Dawn Endico 2002-02-21 17:52:08 PST
I really like having most of that information in one document. The only thing
I dislike is the time it takes to load and the load it puts on the system.

I propose the following changes.

1. Remove the keyword counts. That info isn't particularly useful to
   most users and takes a long time to compute.
2. Change this from a cgi that's run each time each time a user
   looks at it to a script that's run nightly by cron and output to
   a flat html file. Installations with secret products could run it
   by hand when needed and edit out the secret info (or whatever).
Comment 9 User image Brian 'netdragon' Bober 2002-02-21 18:30:58 PST
Endico: Is that something that would be reliable for all operating systems and
all configurations? What if at the beginning of the day after the first user
entered bugzilla, it spawned a process to do this? It could also do this
manually if there are any changes to the help system.

It would be too bad if this added anymore dependancies to the configuration of
Bugzilla. I did find a perl emulation of cron: http://www.megadodo.demon.co.uk/perl/
This could be spawned possibly after the first user enters the system each days.
Also, remember that not everyone reboots their system or does a shadow database
update each day like b.m.o

With this, I believe, bugzilla could have its own built-in task scheduling
instead of relying on an outside program. 

I hope I'm making sense, because I'm not exactly sure on how cron works or how
the shadow database works :-)

OTOH, I was going to break apart the Bugzilla help system into manageable
sections. Would you rather it be in one file? I think this is something we
should discuss in the newsgroups.
Comment 10 User image Dawn Endico 2002-02-21 20:23:38 PST
Don't worry about what cron is. You don't need to implement it.
Just make a script that produces a web page (or multiple ones).
Bugzilla administrators can figure out if, when and how to run it.

On the other hand, if there's a better proposal for handling
help, then fine. I kind of like having things in one place, but
that discussion can happen in the news group. In the mean time,
doing what i propose would be a fairly easy fix if we're pressed
for time.
Comment 11 User image Gervase Markham [:gerv] 2002-02-23 02:19:43 PST
I've started a discussion about the best way to do help in Bugzilla in
n.p.m.webtools. If people could put their thoughts there, that would be great.

Gerv
Comment 12 User image Bradley Baetz (:bbaetz) 2002-02-23 20:25:31 PST
So, what are we doing for 2.16?
Comment 13 User image Brian 'netdragon' Bober 2002-02-25 19:45:26 PST
For now, I think we should just remove all the generated lists (products,
keywords, components).
Comment 14 User image Dawn Endico 2002-02-25 20:09:36 PST
there's no  point in  having this if you're going to remove the generated
lists.
Comment 15 User image Gervase Markham [:gerv] 2002-02-26 11:50:54 PST
Created attachment 71519 [details]
Possible replacement

Here's a possible replacement help text which I put together, based on Brian's.
If people could review it and tell me if it has the makings of a more helpful
replacement, I'd be grateful :-)

Gerv
Comment 16 User image Brian 'netdragon' Bober 2002-02-27 12:56:43 PST
Looks good Gervase. Endico: We can throw the generated lists back in when we
restructure the help system. As for the description about the Bugzilla system,
etc that Gervase left out, we can eventually put that back in too. For now,
though, this seems like a good temporary fix so we don't have to rush to get the
help system produced.

Comment 17 User image Bradley Baetz (:bbaetz) 2002-03-02 15:11:44 PST
Comment on attachment 71519 [details]
Possible replacement

r=bbaetz, if the w3c validator is happy with it. Are you going to templatise 
it? Its probably not worth it, but it is technically user facing...
Comment 18 User image Gervase Markham [:gerv] 2002-03-03 10:14:05 PST
It's an HTML page - it's not dynamic. It is its own template :-)

Gerv
Comment 19 User image Bradley Baetz (:bbaetz) 2002-03-03 14:35:56 PST
Right - I hadn't noticed that the templatising of *.html got pushed off. Are you
going to redirect the .cgi to the .html? Then redirect back for 2.18? Just chuck
it in a template as is, with a quick wrapper cgi.
Comment 20 User image Gervase Markham [:gerv] 2002-03-03 15:53:59 PST
I was planning to replace the link on the query page with a link to the HTML
version :-)

Also, it's by no means certain that the 2.18 help will be a separate CGI - see
discussions in the newsgroup.

Gerv
Comment 21 User image Bradley Baetz (:bbaetz) 2002-03-03 16:31:28 PST
If any part of it is dynamic, it will be a cgi...

I'm mainly concerned about bookmarked links.
Comment 22 User image Gervase Markham [:gerv] 2002-03-04 00:24:47 PST
> If any part of it is dynamic, it will be a cgi...

Not if it's part of the query page itself. Well, not a separate CGI, anyway.
Please see the NG discussions.

I'> m mainly concerned about bookmarked links.

To the query page help? :-) I'm not convinced that this is a problem.

Gerv

Comment 23 User image Gervase Markham [:gerv] 2002-03-06 12:09:02 PST
The validator loves it (except for the no-charset thing, but all our pages have
that, right?)

Gerv
Comment 24 User image Matthew Tuck [:CodeMachine] 2002-03-13 17:54:13 PST
What's wrong with just fixing up the CGI?
Comment 25 User image Gervase Markham [:gerv] 2002-03-14 01:15:35 PST
> What's wrong with just fixing up the CGI?

Well, it is based on the text in the CGI. But the reasons it's very different
are that:

- Doing a CGI thing is more work, if we want the user to see exactly the right
stuff they have permissions for
- Doing the CGI thing is less good - all that dynamic stuff merely confuses. One
user rightly complained to me "All I want to do is search for duplicates. Why do
I have to read 40 pages of 'help' first?" There is an order of magnitude too
much stuff in the old help.

I believe my replacement is the right way to go in the period before we get the
proper help system in place, as outlined in the newsgroup.

Gerv
Comment 26 User image Myk Melez [:myk] [@mykmelez] 2002-04-01 16:10:36 PST
Created attachment 77127 [details] [diff] [review]
patch: checks permissions before displaying product

There's no agreement on what to do with the page, so we should do the simple
thing now and figure out the rest after 2.16.  This patch does the same thing
query.cgi does before displaying a product to a user.
Comment 27 User image Dave Miller [:justdave] (justdave@bugzilla.org) 2002-04-01 17:24:51 PST
reassign to patch author.  Also letting the bot see updates on it.
Comment 28 User image Dave Miller [:justdave] (justdave@bugzilla.org) 2002-04-01 17:26:20 PST
Comment on attachment 77127 [details] [diff] [review]
patch: checks permissions before displaying product

r= justdave
Comment 29 User image Gervase Markham [:gerv] 2002-04-02 08:07:19 PST
The only person who has expressed concerns about the new version is MattyT. I
believe I've answered those.

Is anyone actually arguing that (on b.m.o particularly, but generally) the old
version is actually more helpful to any sort of user than the new one?

If no-one wants to stand up and say that, we should check mine in. If someone
wants to make a case for the old one, we can check Myk's in, and argue about it
later.

Gerv
Comment 30 User image Myk Melez [:myk] [@mykmelez] 2002-04-02 12:56:09 PST
>Is anyone actually arguing that (on b.m.o particularly, but generally) the old
>version is actually more helpful to any sort of user than the new one?

Yes, Dawn is in comment 8, so let's check in the patch and argue about the file
as a whole later.
Comment 31 User image Dawn Endico 2002-04-02 13:05:18 PST
i second myk's motion.
Comment 32 User image Gervase Markham [:gerv] 2002-04-02 13:19:32 PST
Comment on attachment 77127 [details] [diff] [review]
patch: checks permissions before displaying product

<shrug>. OK. r=gerv, then.

Gerv
Comment 33 User image Gervase Markham [:gerv] 2002-04-02 14:10:38 PST
*** Bug 130131 has been marked as a duplicate of this bug. ***
Comment 34 User image Gervase Markham [:gerv] 2002-04-02 14:21:21 PST
Can someone mark the dupe confidential?

Gerv
Comment 35 User image Myk Melez [:myk] [@mykmelez] 2002-04-03 12:28:36 PST
Checking in queryhelp.cgi;
/cvsroot/mozilla/webtools/bugzilla/queryhelp.cgi,v  <--  queryhelp.cgi
new revision: 1.9; previous revision: 1.8
done
rlog: /cvsroot/mozilla/webtools/bugzilla/queryhelp.cgi,v:21: missing ';' after
'symbols'
rlog aborted
Comment 36 User image Bradley Baetz (:bbaetz) 2002-04-03 15:23:53 PST
> rlog: /cvsroot/mozilla/webtools/bugzilla/queryhelp.cgi,v:21: missing ';' after
'symbols'
> rlog aborted

Um, what??

bonsai doesn't seem to have picked up the actual diff either, although it was
commited to cvs.
Comment 37 User image Dave Miller [:justdave] (justdave@bugzilla.org) 2002-05-08 21:52:56 PDT
munging ccs
Comment 38 User image J. Paul Reed [:preed] 2002-05-10 03:06:57 PDT
Created attachment 83023 [details] [diff] [review]
Backported patch for BUGZILLA-2_14_1-BRANCH

easy short patch!
Comment 39 User image Gervase Markham [:gerv] 2002-05-11 02:21:15 PDT
Comment on attachment 83023 [details] [diff] [review]
Backported patch for BUGZILLA-2_14_1-BRANCH

2xr=gerv.

Gerv
Comment 40 User image J. Paul Reed [:preed] 2002-05-11 03:11:23 PDT
Checked in on BUGZILLA-2_14_1-BRANCH.
Comment 41 User image Dave Miller [:justdave] (justdave@bugzilla.org) 2002-05-12 09:12:05 PDT
Adding representatives of the packagers to bugs that are going into the
Bugzilla 2.14.2 security update
Comment 42 User image Bradley Baetz (:bbaetz) 2002-05-15 22:30:08 PDT
moving secure bugzilla/webtools bugs from mozilla security group to the new
bugzilla security group.
Comment 43 User image Dave Miller [:justdave] (justdave@bugzilla.org) 2002-06-08 00:01:15 PDT
2.14.2 is out, removing security group.
Comment 44 User image Brian 'netdragon' Bober 2002-09-23 22:57:28 PDT
vrfy

Note You need to log in before you can comment on or make changes to this bug.