Closed
Bug 163135
Opened 22 years ago
Closed 21 years ago
reports.cgi with usebuggroups on
Categories
(Bugzilla :: Reporting/Charting, defect, P4)
Tracking
()
RESOLVED
INVALID
People
(Reporter: rbro, Assigned: gerv)
References
Details
I have usebuggroups and usebuggroupsentry both turned on, so that products are isolated to specific groups of people, and people can't see bugs that they aren't permitted to. If I go to my bugzilla homepage as a non-logged in user, and click on the reports link and view a standard report, I can see a listing of e-mail addresses and bug numbers for products that I shouldn't have access to. If I click any bug number, I get the message that I'm not authorized to view the bug, but should a non-logged in user (or a user who doesn't have permissions for a product) be able to see a listing of the 'engineers' and bug numbers relating to that product who otherwise he should know nothing about, nor have access to view?
Assignee | ||
Comment 1•22 years ago
|
||
While not ideal, I don't think this is a serious information leak. Those reports are going away eventually (yes, I know I always say that, but I actually have an implementation of their replacement) and the code is horrible, so I don't like working with it. ;-) Gerv
Reporter | ||
Comment 2•22 years ago
|
||
I haven't yet taken a look at the code in reports.cgi, but one thing I noticed is this: If I log in as a user with access to just one product (out of the many that exist), on the initial reports.cgi page, the Product dropdown lists an 'All' option and the one product that I have access to. If I choose that one product and click Continue, I get stats just for that one product, but if I choose 'All', I get stats for all products (including ones not listed in that dropdown). Since the code to retrieve stats for just one product already exists, to fix the problem for the 'All' case, wouldn't the fix be to do the SQL query to get the list of products that the user has access to, and add them all into the various SQL statements for the stats, just as the one product is added in now to the SQL for the singular product case?
Assignee | ||
Comment 3•22 years ago
|
||
I'm not saying it's unfixable - just that I don't plan to fix it, because I have a large pile of other bugs to get through first :-) Gerv
Updated•22 years ago
|
Priority: -- → P2
Target Milestone: --- → Bugzilla 2.18
Assignee | ||
Comment 4•22 years ago
|
||
This is all going away over in bug 16009. Gerv
Depends on: 16009
Priority: P2 → P4
Updated•21 years ago
|
OS: Windows 2000 → All
Hardware: PC → All
Assignee | ||
Comment 5•21 years ago
|
||
This bug is now invalid, because the reports in question are no longer part of Bugzilla. Gerv
Status: NEW → RESOLVED
Closed: 21 years ago
Resolution: --- → INVALID
Comment 6•21 years ago
|
||
bulk removing target on WONTFIX/INVALID/WORKSFORME/DUPLICATE so they'll show up as untriaged if they get reopened.
Target Milestone: Bugzilla 2.18 → ---
Updated•12 years ago
|
QA Contact: matty_is_a_geek → default-qa
You need to log in
before you can comment on or make changes to this bug.
Description
•