Closed Bug 1692222 Opened 3 years ago Closed 1 year ago

Show bug ids in reference fields when user has editbugs even if the user cannot see the actual bugs

Categories

(bugzilla.mozilla.org :: Bug Creation/Editing, enhancement)

enhancement

Tracking

()

RESOLVED FIXED

People

(Reporter: dkl, Assigned: dkl)

References

Details

Attachments

(1 file, 2 obsolete files)

46 bytes, text/x-github-pull-request
Details | Review

Current behavior is to not show any bug ids in the reference fields (depends, regresses, etc.) if the current user cannot see them. This has caused issues with triagers and others who need to know that secure bugs are attached the bug.

This change allows the bug ids to be visible if the user is in editbugs even though the user might now be able to actually see the secure bug. No summary or other sensitive information is shown.

Attached file GitHub Pull Request (obsolete) —

We need a go-ahead from security that they want this change before proceeding.

Who do we need to ping to get this bug done? dveditz maybe?

Flags: needinfo?(dveditz)

This has caused issues with triagers and others who need to know that secure bugs are attached the bug

And if those users can't see the bug numbers, when they go into edit mode they could presumably cause lots of data loss by submitting dependency changes that drop all the bugs they couldn't see?

I imagine I'd be unhappy to find out how many folks have that permission? I tried using the Group Members report to get a count but it wasn't an option. It's a permission that's relatively easy to get if you're willing to put some time into it, but I don't see how people could safely edit bugs without being able to see these bug numbers.

I guess we'll have to live with it? I've dropped a note to get some feedback from other members of the team. I'm leaving my needinfo? on here and will get back with a more confident judgement.

(In reply to Daniel Veditz [:dveditz] from comment #4)

And if those users can't see the bug numbers, when they go into edit mode they could presumably cause lots of data loss by submitting dependency changes that drop all the bugs they couldn't see?

If the user cannot see the ids they will not be affected by any changes made. So if they can see some but not the others, and they add/remove ones they can see, the others will remain unaffected.

I imagine I'd be unhappy to find out how many folks have that permission? I tried using the Group Members report to get a count but it wasn't an option. It's a permission that's relatively easy to get if you're willing to put some time into it, but I don't see how people could safely edit bugs without being able to see these bug numbers.

select count(distinct user_id) from user_group_map where group_id = 9 (editbugs)
5150

I guess we'll have to live with it? I've dropped a note to get some feedback from other members of the team. I'm leaving my needinfo? on here and will get back with a more confident judgement.

(In reply to Daniel Veditz [:dveditz] from comment #4)

This has caused issues with triagers and others who need to know that secure bugs are attached the bug

And if those users can't see the bug numbers, when they go into edit mode they could presumably cause lots of data loss by submitting dependency changes that drop all the bugs they couldn't see?

This will not happen. I tested and their are safe guards in the code to not make changes to the references list if the user is not allowed to see the secure bug.

I imagine I'd be unhappy to find out how many folks have that permission? I tried using the Group Members report to get a count but it wasn't an option. It's a permission that's relatively easy to get if you're willing to put some time into it, but I don't see how people could safely edit bugs without being able to see these bug numbers.

select count() from user_group_map where group_id = (select id from groups where name = 'editbugs');
count(
)
5402

So are we good to go forward with this change? I will update the see_also to allow as well since we changed that recently.

(In reply to David Lawrence [:dkl] from comment #5)

So are we good to go forward with this change? I will update the see_also to allow as well since we changed that recently.

Ping dveditz

Yes, this change is fine

Flags: needinfo?(dveditz)
Attached file GitHub Pull Request (obsolete) —
Attached file GitHub Pull Request
Attachment #9300431 - Attachment is obsolete: true
Attachment #9202595 - Attachment is obsolete: true
Status: ASSIGNED → RESOLVED
Closed: 1 year ago
Resolution: --- → FIXED
See Also: → 1818029
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: