Closed Bug 129366 Opened 23 years ago Closed 21 years ago

Allow unprivileged users to file bugs into Mozilla security groups

Categories

(bugzilla.mozilla.org :: General, defect, P2)

defect

Tracking

()

RESOLVED FIXED

People

(Reporter: myk, Assigned: myk)

References

Details

Attachments

(1 file, 4 obsolete files)

Each security group should have an option that, if enabled, allows unprivileged users to file bugs into that group. This makes it possible to set up a group for security-sensitive bugs (i.e. bugs that compromise the security of users of the product) and allow members of the public to put bugs into it without the bug being public for any period of time.
Attached patch Patch v.1 (obsolete) — Splinter Review
The groups rewrite should allow this generally, but there is a need for this in the specific situation of security bugs on b.m.o. This patch is a hack, specific to that installation, to allow anyone to file bugs into our two security groups, and add a checkbox to the UI for that purpose. Gerv
Yuck... You nbeed to add some warning text that this doesn't mean 'a problem with security' (ie nss/psm), and what this means. You could link to a .html page instead, if you prefer.
Ditto on the wording objections, this will get misinterpreted and misused. The text should explicitly mention the confidential aspect somehow. The wording that's curently used for groupset 2 ("Security-sensitive bug") is not entirely clear, but wouldn't get misused the way "this is a security problem" would. Especially if there's a link to a help doc like bug_status.html "Confidential security problem" ? If you can, please ask some UI or doc people for wording that gets the idea across without encouraging overuse.
Agreed. However, I'd rather have bugs miss-marked as security sensitive (as long as the volume of such bugs is not too large, or course) than having security sensitive bugs filed in the open just because we don't give users the ability to mark bugs as security sensitive.
"[ ] This is a security problem which needs to be kept confidential"? People won't read the far end of any link; the text has to stand alone. CCing mpt and lori for further comments. Gerv
Attachment #93005 - Flags: needs-work+
Comment on attachment 93005 [details] [diff] [review] Patch v.1 On the patch itsself, if I'm in the security group the UI will look wierd, and I'm not sure what will happen if you have one checked but not the other. I know that checkboxes don't send the form element in mozilla (as per the spec), but does someone send a 0 for unchecked boxes? ie, move the sec_bit stuff before teh <Tr>, and then do an if. We don't have the bitset in the user hash though, so you'll have to [% IF %] based on the group name. Regarding the ui for this, as a side issue we may want to consider what that should be when this is done generically and properly. Theres no reason it couldn't be done properly now, except that it will conflict strongly with joel's stuff - its only dependent on that because of the product specific bits. You shgould also have teh groupset for the m.o conf group for mozilla.org bugs.
Comment on attachment 93005 [details] [diff] [review] Patch v.1 On the patch itsself, if I'm in the security group the UI will look wierd, and I'm not sure what will happen if you have one checked but not the other. I know that checkboxes don't send the form element in mozilla (as per the spec), but does someone send a 0 for unchecked boxes? ie, move the sec_bit stuff before teh <Tr>, and then do an if. We don't have the bitset in the user hash though, so you'll have to [% IF %] based on the group name. Regarding the ui for this, as a side issue we may want to consider what that should be when this is done generically and properly. Theres no reason it couldn't be done properly now, except that it will conflict strongly with joel's stuff - its only dependent on that because of the product specific bits. You shgould also have teh groupset for the m.o conf group for mozilla.org bugs.
The new wording is a big improvement, thank you.
I think Gerv's revised wording is the best it can be, but I also think this option would be heavily misused no matter how it was worded.
I think there's enough of a bias toward openness that it won't be "heavily" misused, and anyone on a bug can open it up when the mistake is discovered just as mistakes in severity or components are corrected every day. You could add a link to http://www.mozilla.org/projects/security/security-bugs-policy.html if it fits.
Attached patch Patch v.2 (obsolete) — Splinter Review
Patch v.2 incorporates new wording and a link to the security policy. Gerv
Attachment #93005 - Attachment is obsolete: true
You've still got the duplicate checkbox problem if I'm in the relevent security group.
I _swear_ I wrote a comment about that. Basically, we have two options: - make the groups UI inconsistent - one group is a checkbox under the text entry form, and the rest are as normal - make the groups UI have a duplicate box for those people in either security group. People can use either of them to mark a bug as security-sensitive. Neither is nice, but I believe the second is less bad than the first. I'm pretty certain browsers DTRT - i.e. submit the control if one or more of the boxes are checked - so that's not a problem. Gerv
OK, I can live with that temporarily. However, please morph this bug into a mozilla.org specific one, and then file a new one to deal with the generic case (and mark it dependant on the groups rewrite one)
This bug was intended to be m.o-specific; I've now made that more clear. Do we really need a new bug for this issue for the groups rewrite? As I understand it, Joel has this need already on his list. Gerv
Assignee: myk → gerv
Summary: option to allow unprivileged users to file bugs into a security group → Allow unprivileged users to file bugs into Mozilla security groups
Now its mozilla specific :) I don't think this exact thing is on the groups list-of-changes - joel?
Component: Creating/Changing Bugs → Bugzilla: Other moz.org Issues
Product: Bugzilla → mozilla.org
Version: 2.15 → other
The current groups plan (stage 3) would permit a product to be set up in a manner that lets unprivileged users enter a bug but then restricts it in a manner that the user could not have set up. That would do what this bug wants, I think. The way this would be done is to set a permissive entry group for a security product, but then require the restiction on access. The reporter would still see it as the reporter, but it would be restricted from public view as long as it remained in the security product.
joel: Yes, but that wouldn't be optional then... We'd really want a separate bit on the product_group_map table for 'can_set_even_if_not_member', which would only be valid if the entry were optional (ie the type was 1 or 2, not 0 or 3, from the mappnig Isuggested in the bug/on irc)
Comment on attachment 94667 [details] [diff] [review] Patch v.2 >+ This is a security problem which needs to be kept confidential Nit: "that" seems more correct than "which" in this sentence. >+ (<a href="http://www.mozilla.org/projects/security/security-bugs-policy.html">security policy</a>) Nit: complete sentences should end with periods. I'm ok with duplicate UI for this field, although I prefer the "inconsistency."
Attached patch Patch v.3 (obsolete) — Splinter Review
Myk's nits picked. Myk - could you apply this to b.m.o? Gerv
myk: ping? :-) I can't file a review request, because we aren't in the right product. Gerv
As I recall, the last time staff talked about this we decided not to do it.
<checks> How right you are. OK. Let's WONTFIX this; if the issue ever comes up again, I'm sure we'll remember this bug. Gerv
Status: NEW → RESOLVED
Closed: 22 years ago
Resolution: --- → WONTFIX
Reopening; we are doing this after all. Gerv
Status: RESOLVED → REOPENED
Priority: -- → P2
Resolution: WONTFIX → ---
Attached patch Patch v.4 (obsolete) — Splinter Review
Refreshed patch. Gerv
Attachment #96284 - Attachment is obsolete: true
Over to Myk to apply this to b.m.o. Gerv
Assignee: gerv → myk
Status: REOPENED → NEW
I believe the spec says it gets sent for each time it's checked. If you have two checkboxes with the same name, you're going to get name=value&name=value in your string.
Is that going to have any effect on the code which reads this value? Will it still be in %::FORM, or will it now suddenly be in %::MFORM or something? Gerv
I think that if we only check for defined (which I _think_ is all post_bug does), then its ok. Maybe - test it! :)
I tried checking both boxes, and it still ended up in the correct group. So we're fine. Gerv
Blocks: 176570
myk: you've applied most of my other customisations, but not this one. Any particular reason? Although, now we are forcing new filers to use the Helper, maybe we need this checkbox there as well... Gerv
Yes, I didn't apply this patch because it's been rotted by the groups rewrite. You're right, it makes sense to add this to the Bugzilla Helper as well.
Attached patch Patch v.5Splinter Review
This should do the trick for the new groups system, and both bug entry forms. Gerv
Attachment #99710 - Attachment is obsolete: true
myk: there's no review system in this product. Could you review, please? :-) Gerv
No longer blocks: 176570
Blocks: 186190
I'm a little concerned that this patch makes it possible for group shuffling to change which groups users can file bugs in, but that's a minor issue and one which is unlikely to occur. r=myk, and applied to b.m.o, but note that recent changes to post_bug.cgi necessitate refreshing this patch before the next b.m.o upgrade. Leaving it open for that reason.
I have a feeling that the new groups architecture makes this patch redundant, doesn't it? Joel certainly seemed to think so. So it won't need refreshing. Gerv
This has been fixed for a while, right?
Yup.
Status: NEW → RESOLVED
Closed: 22 years ago21 years ago
Resolution: --- → FIXED
Component: Bugzilla: Other b.m.o Issues → General
Product: mozilla.org → bugzilla.mozilla.org
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: