API keys inherit the same privileges as the user who created them. This means, for example, that there's no way to create an API key that doesn't have access to security bugs for a user that has privileges to see them. This behavior can also cause security problems. When you get more privileges on Bugzilla, you'd need to audit your pre-existing API keys.
This would help resolve a concern that's been around with 3rd Party Web Apps that consume the API. Even if we just made it such that API keys do not have access to bugs in security groups, that'd be a useful change.
10 months ago