Allow unprivileged users to file bugs into Mozilla security groups

RESOLVED FIXED

Status

()

P2
normal
RESOLVED FIXED
17 years ago
8 years ago

People

(Reporter: myk, Assigned: myk)

Tracking

Details

Attachments

(1 attachment, 4 obsolete attachments)

(Assignee)

Description

17 years ago
Each security group should have an option that, if enabled, allows unprivileged
users to file bugs into that group.  This makes it possible to set up a group
for security-sensitive bugs (i.e. bugs that compromise the security of users of
the product) and allow members of the public to put bugs into it without the bug
being public for any period of time.
Created attachment 93005 [details] [diff] [review]
Patch v.1

The groups rewrite should allow this generally, but there is a need for this in
the specific situation of security bugs on b.m.o. This patch is a hack,
specific to that installation, to allow anyone to file bugs into our two
security groups, and add a checkbox to the UI for that purpose.

Gerv
Yuck...

You nbeed to add some warning text that this doesn't mean 'a problem with
security' (ie nss/psm), and what this means. You could link to a .html page
instead, if you prefer.
Ditto on the wording objections, this will get misinterpreted and misused. The
text should explicitly mention the confidential aspect somehow. The wording
that's curently used for groupset 2 ("Security-sensitive bug") is not entirely
clear, but wouldn't get misused the way "this is a security problem" would.
Especially if there's a link to a help doc like bug_status.html

"Confidential security problem" ?

If you can, please ask some UI or doc people for wording that gets the idea
across without encouraging overuse.
Agreed. However, I'd rather have bugs miss-marked as security sensitive (as long
as the volume of such bugs is not too large, or course) than having security
sensitive bugs filed in the open just because we don't give users the ability to
mark bugs as security sensitive.
"[ ] This is a security problem which needs to be kept confidential"?

People won't read the far end of any link; the text has to stand alone.

CCing mpt and lori for further comments.

Gerv

Updated

17 years ago
Attachment #93005 - Flags: needs-work+
Comment on attachment 93005 [details] [diff] [review]
Patch v.1

On the patch itsself, if I'm in the security group the UI will look wierd, and
I'm not sure what will happen if you have one checked but not the other. I know
that checkboxes don't send the form element in mozilla (as per the spec), but
does someone send a 0 for unchecked boxes?

ie, move the sec_bit stuff before teh <Tr>, and then do an if. We don't have
the bitset in the user hash though, so you'll have to [% IF %] based on the
group name.

Regarding the ui for this, as a side issue we may want to consider what that
should be when this is done generically and properly.

Theres no reason it couldn't be done properly now, except that it will conflict
strongly with joel's stuff - its only dependent on that because of the product
specific bits.

You shgould also have teh groupset for the m.o conf group for mozilla.org bugs.
Comment on attachment 93005 [details] [diff] [review]
Patch v.1

On the patch itsself, if I'm in the security group the UI will look wierd, and
I'm not sure what will happen if you have one checked but not the other. I know
that checkboxes don't send the form element in mozilla (as per the spec), but
does someone send a 0 for unchecked boxes?

ie, move the sec_bit stuff before teh <Tr>, and then do an if. We don't have
the bitset in the user hash though, so you'll have to [% IF %] based on the
group name.

Regarding the ui for this, as a side issue we may want to consider what that
should be when this is done generically and properly.

Theres no reason it couldn't be done properly now, except that it will conflict
strongly with joel's stuff - its only dependent on that because of the product
specific bits.

You shgould also have teh groupset for the m.o conf group for mozilla.org bugs.
The new wording is a big improvement, thank you.

Comment 9

17 years ago
I think Gerv's revised wording is the best it can be, but I also think this
option would be heavily misused no matter how it was worded.
I think there's enough of a bias toward openness that it won't be "heavily"
misused, and anyone on a bug can open it up when the mistake is discovered just
as mistakes in severity or components are corrected every day.

You could add a link to
http://www.mozilla.org/projects/security/security-bugs-policy.html if it fits.
Created attachment 94667 [details] [diff] [review]
Patch v.2

Patch v.2 incorporates new wording and a link to the security policy.

Gerv
Attachment #93005 - Attachment is obsolete: true
You've still got the duplicate checkbox problem if I'm in the relevent security
group.
I _swear_ I wrote a comment about that.

Basically, we have two options:
- make the groups UI inconsistent - one group is a checkbox under the text entry
form, and the rest are as normal
- make the groups UI have a duplicate box for those people in either security
group. People can use either of them to mark a bug as security-sensitive.

Neither is nice, but I believe the second is less bad than the first.

I'm pretty certain browsers DTRT - i.e. submit the control if one or more of the
boxes are checked - so that's not a problem.

Gerv
OK, I can live with that temporarily. However, please morph this bug into a
mozilla.org specific one, and then file a new one to deal with the generic case
(and mark it dependant on the groups rewrite one)
This bug was intended to be m.o-specific; I've now made that more clear. 

Do we really need a new bug for this issue for the groups rewrite? As I
understand it, Joel has this need already on his list.

Gerv

Assignee: myk → gerv
Summary: option to allow unprivileged users to file bugs into a security group → Allow unprivileged users to file bugs into Mozilla security groups
Now its mozilla specific :)

I don't think this exact thing is on the groups list-of-changes - joel?
Component: Creating/Changing Bugs → Bugzilla: Other moz.org Issues
Product: Bugzilla → mozilla.org
Version: 2.15 → other

Comment 17

17 years ago
The current groups plan (stage 3) would permit a product to be set up in a
manner that lets unprivileged users enter a bug but then restricts it in a
manner that the user could not have set up.  That would do what this bug wants,
I think.

The way this would be done is to set a permissive entry group for a security
product, but then require the restiction on access.  The reporter would still
see it as the reporter, but it would be restricted from public view as long as
it remained in the security product.
 
joel: Yes, but that wouldn't be optional then... We'd really want a separate bit
on the product_group_map table for 'can_set_even_if_not_member', which would
only be valid if the entry were optional (ie the type was 1 or 2, not 0 or 3,
from the mappnig Isuggested in the bug/on irc)
(Assignee)

Comment 19

17 years ago
Comment on attachment 94667 [details] [diff] [review]
Patch v.2

>+      This is a security problem which needs to be kept confidential

Nit: "that" seems more correct than "which" in this sentence.

>+      (<a href="http://www.mozilla.org/projects/security/security-bugs-policy.html">security policy</a>)

Nit: complete sentences should end with periods.

I'm ok with duplicate UI for this field, although I prefer the "inconsistency."
Created attachment 96284 [details] [diff] [review]
Patch v.3

Myk's nits picked.

Myk - could you apply this to b.m.o?

Gerv
myk: ping? :-) I can't file a review request, because we aren't in the right
product.

Gerv
(Assignee)

Comment 22

16 years ago
As I recall, the last time staff talked about this we decided not to do it.
<checks> How right you are. OK. Let's WONTFIX this; if the issue ever comes up
again, I'm sure we'll remember this bug.

Gerv
Status: NEW → RESOLVED
Last Resolved: 16 years ago
Resolution: --- → WONTFIX
Reopening; we are doing this after all.

Gerv
Status: RESOLVED → REOPENED
Priority: -- → P2
Resolution: WONTFIX → ---
Created attachment 99710 [details] [diff] [review]
Patch v.4

Refreshed patch.

Gerv
Attachment #96284 - Attachment is obsolete: true
Over to Myk to apply this to b.m.o.

Gerv
Assignee: gerv → myk
Status: REOPENED → NEW
I believe the spec says it gets sent for each time it's checked.

If you have two checkboxes with the same name, you're going to get
name=value&name=value in your string.
Is that going to have any effect on the code which reads this value? Will it
still be in %::FORM, or will it now suddenly be in %::MFORM or something?

Gerv
I think that if we only check for defined (which I _think_ is all post_bug
does), then its ok. Maybe - test it! :)
I tried checking both boxes, and it still ended up in the correct group. So
we're fine.

Gerv
(Assignee)

Updated

16 years ago
Blocks: 176570
myk: you've applied most of my other customisations, but not this one. Any
particular reason?

Although, now we are forcing new filers to use the Helper, maybe we need this
checkbox there as well...

Gerv
(Assignee)

Comment 32

16 years ago
Yes, I didn't apply this patch because it's been rotted by the groups rewrite. 
You're right, it makes sense to add this to the Bugzilla Helper as well.
Created attachment 106295 [details] [diff] [review]
Patch v.5

This should do the trick for the new groups system, and both bug entry forms.

Gerv
Attachment #99710 - Attachment is obsolete: true
myk: there's no review system in this product. Could you review, please? :-)

Gerv
(Assignee)

Updated

16 years ago
No longer blocks: 176570
(Assignee)

Updated

16 years ago
Blocks: 186190
(Assignee)

Comment 35

16 years ago
I'm a little concerned that this patch makes it possible for group shuffling to
change which groups users can file bugs in, but that's a minor issue and one
which is unlikely to occur.  r=myk, and applied to b.m.o, but note that recent
changes to post_bug.cgi necessitate refreshing this patch before the next b.m.o
upgrade.  Leaving it open for that reason.
I have a feeling that the new groups architecture makes this patch redundant,
doesn't it? Joel certainly seemed to think so. So it won't need refreshing.

Gerv

Comment 37

16 years ago
This has been fixed for a while, right?
(Assignee)

Comment 38

16 years ago
Yup.
Status: NEW → RESOLVED
Last Resolved: 16 years ago16 years ago
Resolution: --- → FIXED
Component: Bugzilla: Other b.m.o Issues → General
Product: mozilla.org → bugzilla.mozilla.org
You need to log in before you can comment on or make changes to this bug.