Closed Bug 155400 Opened 22 years ago Closed 22 years ago

Fix permissions model

Categories

(Bugzilla :: Bugzilla-General, defect)

Product:
Bugzilla
Component:
Bugzilla-General
Version:
2.17
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
Bugzilla 2.18

People

(Reporter: gerv, Assigned: gerv)

Details

Our permissions model is currently a mess. Newsgroup discussion came up with the
following, which I intend to implement:

No permissions - can add comments and change CCs

Has canconfirm - can add comments, change CCs, and confirm a bug

Has canedit - can edit any aspect of a bug
QA Contact - can edit any aspect of a bug
Assignee - can edit any aspect of a bug

(So, being the QA Contact or the Assignee can be implemented as having canedit
for that bug only.)

Reporter - can edit any aspect of a bug, except:
confirmed status
priority unless Param("letsubmitterchoosepriority")
target milestone

(So, being a reporter has to be an extra flag, because they are different.) 

Gerv
Status: NEW → ASSIGNED
Target Milestone: --- → Bugzilla 2.18
Version: unspecified → 2.17
This is related to/a dupe of several bugs, the most obvious probably being the
2.16 bug on this issue.
OK, having carefully read the code, here (I think) are the deviations the
current model has from the ideal:

- An unpermissioned user can change NEW -> ASSIGNED and REOPENED -> ASSIGNED by 
  hacking templates, although there's no UI.
- The reporter can possibly confirm bugs, using the same method as above, but
  I couldn't get it to work.
- The reporter can currently change priority and TM.
- Anyone can edit dependencies (bug 141593) because the Check function isn't
called for them

Gerv
I fixed this when I rewrote CheckCanChangeField.

Gerv
Status: ASSIGNED → RESOLVED
Closed: 22 years ago
Resolution: --- → FIXED
QA Contact: matty_is_a_geek → default-qa
You need to log in before you can comment on or make changes to this bug.