Closed Bug 166332 Opened 22 years ago Closed 2 years ago

Should be given option to mass change when not logged in

Categories

(Bugzilla :: Query/Bug List, enhancement)

Product:
Bugzilla
Component:
Query/Bug List
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED WONTFIX

People

(Reporter: mozeditor, Unassigned)

Details

(Keywords: polish)

Attachments

(1 file)

patch
2.41 KB, patch
goobix
: review-
LpSolit
: review-
Details | Diff | Splinter Review 
Steps: 
1) without being logged into bugzilla, do a bug search.
results:  "Change Several Bugs at Once" option is not there.

It should be, for 2 reasons.  First off, if you are usually logged in when using
bugzilla, and then do a search when not logged in, it's not obvious why that
option has disappeared.  Secondly, if you bring up a specific bug and make a
change, Bugzilla prompts you to login AFTER you try to commit the change.

The way it should work is that "Change Several Bugs at Once"" is always present
at the bottom of search results, and if you make changes it should then prompt
you for login.
You can just add &tweak=1 to the url, but yeah, this seems reasonable. Patch coming.

You'll still have to login before seeing the page, though. This is partly for
groups-issues, but mainly because theres no point in letting someone fill out a
form which they won't be able to submit...
Assignee: myk → bbaetz
Keywords: polish
Summary: inconsistent and undiscovereable differences on when you can change bugs → Should be given option to mass change when not logged in
Target Milestone: --- → Bugzilla 2.18
Attached patch patchSplinter Review 
This also fixes the problem that process_bug doesn't check for editgroups
before letting you do a mass change....

The actual text of the error message hasn't been tested, though - see bug
164038 comment 15
Unloved bugs targetted for 2.18 but untouched since 9-15-2003 are being
retargeted to 2.20
If you plan to act on one immediately, go ahead and pull it back to 2.18.
Target Milestone: Bugzilla 2.18 → Bugzilla 2.20
This bug has not been touched by its owner in over six months, even though it is
targeted to 2.20, for which the freeze is 10 days away. Unsetting the target
milestone, on the assumption that nobody is actually working on it or has any
plans to soon.

If you are the owner, and you plan to work on the bug, please give it a real
target milestone. If you are the owner, and you do *not* plan to work on it,
please reassign it to nobody@bugzilla.org or a .bugs component owner. If you are
*anybody*, and you get this comment, and *you* plan to work on the bug, please
reassign it to yourself if you have the ability.
Target Milestone: Bugzilla 2.20 → ---
My vote to wontfix this bug!

Comment on attachment 97584 [details] [diff] [review]
patch

Asking for review.

This bug asks for displaying the option for a mass change when logged out, not
for allowing the actual mass change. Displaying the option when logged out and
then asking to log in when it's actually requested is consistent to what is
what we're doing elsewhere, too.
Attachment #97584 - Flags: review?
Comment on attachment 97584 [details] [diff] [review]
patch

The current status of Bugzilla:

-> not logged in users miss the "Change multiple" link in the footer.
-> any logged in user can do multiple changes.
-> logged in user with editbugs can see the "Change multiple" link in the
footer, the other logged in user can not, but can still perform it by manually
visiting the URL.

This bug should not change the current permission scheme, as its summary
clearly indicates that this is not the topic here. Besides, if in another bug
we decide to change the current permission scheme, then I'd probably object to
it.

This patch has 3 parts. The first two parts change the permission scheme;
discussion about them needs to be moved in another bug and they are not
relevant here.

The third part is wrong, because it needs to display "change multiple" to
logged in users with editbugs as well (since the code allows them to do this
currently).

-    [% IF bugs.size > 1 && caneditbugs && !dotweak %]
+    [% IF bugs.size > 1 && (caneditbugs || NOT user.login) && !dotweak %]

should be in the lines of:

-    [% IF bugs.size > 1 && caneditbugs && !dotweak %]
+    [% IF bugs.size > 1 && !dotweak %]


So we need (Marc? :) ) only the third part of the patch, giving the link out to
everybody.
Attachment #97584 - Flags: review? → review-
s/logged in user/logged in users/
s/the other logged in user/the other logged in users/
s/logged in users with editbugs as well/logged in users without editbugs as well/

(in the previous comment)
Comment on attachment 97584 [details] [diff] [review]
patch

Hmm, forget the previous 2 comments, I had editbugs inheritance turned on and
so all the testing turned out to be wrong.
Attachment #97584 - Flags: review- → review?
Comment on attachment 97584 [details] [diff] [review]
patch

The patch is wrong because the cant_edit_multiple thing that it's trying to
introduce is nowadays done in user-error.html.tmpl using LpSolit's generic
auth_failure template:

    [% ELSIF object == "multiple_bugs" %]
      multiple [% terms.bugs %] at once


So the first two parts need to be removed. I think the 3rd part (Marc? :) ) is
what we need. The code in the 3rd part is correct, since not having editbugs
means no multiple changes :(.
Attachment #97584 - Flags: review? → review-
Comment on attachment 97584 [details] [diff] [review]
patch

>@@ -86,6 +86,11 @@
>   || DisplayError("You did not select any bugs to modify.")
>   && exit;
> 
>+# mass changes require editbugs
>+if (scalar(@idlist) > 1 && !UserInGroup("editbugs")) {
>+  ThrowUserError("cant_edit_multiple");
>+}

Which version of Bugzilla has been used here??? Looks like 2.16.x or older, due
to the DisplayError() routine.


>+  [% ELSIF message_tag == "cant_edit_multiple" %]
>+    [% title = "Permission Denied" %]
>+    Sorry, you do not have sufficient privileges to edit multiple bugs.

First, you have to write [% terms.bugs %]. Second, as Vlad said, we have a
generic auth failures template.


>-    [% IF bugs.size > 1 && caneditbugs && !dotweak %]
>+    [% IF bugs.size > 1 && (caneditbugs || NOT user.login) && !dotweak %]

Unfortunately, I'm not allowed to put my veto on it. But: we have bugs
requesting to disable fields which the user is not allowed to edit, such as bug
95923. Here, you offer all users the possibility to do several changes at once
and then they will get a great red error message saying "sorry, you don't have
enough privs to do this". Changing several bugs at once requires editbugs
privs. These guys know how Bugzilla works well enough to log in first. Changing
several bugs at once is powerful.... and dangerous. I would tend to hide it as
much as possible instead of allowing anyone to use it, even if process_bug.cgi
will block any unallowed change.

Again, my vote to wontfix it.
Attachment #97584 - Flags: review-
> instead of allowing anyone to use it, even if process_bug.cgi
> will block any unallowed change.

process_bug will block unallowed changes only if they hack the URL.

The blocking will be made most of the time by buglist.cgi. Either they have a
valid account and log in successfully, or they get the auth error message and
don't even see the interface for changing multiple bugs.
LpSolit: see previous comment.
Vlad, if I understand you correctly, the steps for a logged out user are:

1) I'm logged out and run a query.
2) buglist.cgi displays the list of bugs and at the end a link to "change
several bugs at once".
3) If I click this link, I have to identify myself before the edit-multiple
template is displayed.
4) If I have editbugs privs, I can access edit-multiple, else I get a auth error.

Is that what you meant?

LpSolit: yeah.

When I've said about buglist.cgi performing the "block", I was talking about
your step 3: the "edit-multiple template" is displayed by buglist.cgi.
ok. I thought you meant "let the user access the edit-multiple template, doing
all the changes and after he spent 10 minutes on it, throw him a big red error
message at his face". This was the reason I was opposed to this option. Now it
sounds *much* better! I remove my "veto" then. ;)
QA Contact: mattyt-bugzilla → default-qa
(In reply to comment #0)
> Steps: 
> 1) without being logged into bugzilla, do a bug search.
> results:  "Change Several Bugs at Once" option is not there.
> 
> It should be, for 2 reasons.  First off, if you are usually logged in when using
> bugzilla, and then do a search when not logged in, it's not obvious why that
> option has disappeared.  Secondly, if you bring up a specific bug and make a
> change, Bugzilla prompts you to login AFTER you try to commit the change.

I don't see the behavior mentioned as the second point above of making a change to a specific bug
Whiteboard: [has minused patch]
Assignee: bbaetz → query-and-buglist
Severity: normal → enhancement
Component: Creating/Changing Bugs → Query/Bug List
Whiteboard: [has minused patch]

As of Bugzilla 6 (a predecessor of which is what you're using to view this bug report), you are no longer permitted to make changes even to individual bugs without being logged in first. The fields to make changes aren't even present on the bug display until you log in. Thus the current behavior with "change several bugs at once" is consistent with the current individual bug view, and this change is no longer needed to make it consistent.

Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: