Closed Bug 1989605 Opened 2 months ago Closed 2 months ago

Don't allow brand-new accounts to use the Triage Request Form to self-grant `canconfirm`

Tracking

()

Status:

RESOLVED FIXED

People

(Reporter: dveditz, Unassigned)

Details

(Keywords: bmo-triaged)

Attachments

(1 file)

[mozilla-bteam/bmo] Bug 1989605 - Don't allow brand-new accounts to use the Triage Request Form to self-grant `canconfirm` (#2490) 2 months ago BMO Github Automation 46 bytes, text/x-github-pull-request		Details \| Review

Daniel Veditz [:dveditz]

Reporter

Description

•

2 months ago

•

Edited

We already have a problem with new people who join bugzilla and vandalize bugs. Separate from spammers, just people playing around to see how it works (students, bug bounty hunters). We should NOT allow these new people to use the Triage request form to self-grant the ability to change resolutions on bugs that are not their own. "New" accounts should not be allowed to do this. (example instance)

I'm not sure what value of "new" to use. 6 months? 6 weeks?

At the very least, a "NEW" account trying to load https://bugzilla.mozilla.org/page.cgi?id=triage_request.html should get an error. Dealer's choice whether you make a nice error page for it or just return a 403 Unauthorized
if you want to get fancy you could hide the "canconfim" line on https://bugzilla.mozilla.org/page.cgi?id=get_permissions.html if the account is "NEW"--if they are they won't know what they're missing.

There are other possible changes (like direct people to chat.mozilla.org to ask people, or set up another "file a bug" form), but I suspect people that new don't even know about canconfirm and would not be asking about it except that page tells them it exists. If new users find out it exists because they're already in chat and someone sends them to that page then the person who sent them can also help if they can't find the link.

Daniel Veditz [:dveditz]

Reporter

Comment 1

•

2 months ago

:dkl suggested reusing the _is_new() criteria used to add the "New to Bugzilla" comment badges. That would be a perfectly matching concept.

David Lawrence [:dkl]

Comment 2

•

2 months ago

We can re-use the user->is_new property to not show/allow the self-canconfirm for now:
https://github.com/mozilla-bteam/bmo/blob/master/extensions/TagNewUsers/Extension.pm#L192-L203

Severity: -- → S3

Type: task → enhancement

Keywords: bmo-triaged

Priority: -- → P2

BMO Github Automation

Comment 3

•

2 months ago

Attached file [mozilla-bteam/bmo] Bug 1989605 - Don't allow brand-new accounts to use the Triage Request Form to self-grant `canconfirm` (#2490) — Details

BMO Github Automation

Comment 4

•

2 months ago

Authored by https://github.com/dklawren
https://github.com/mozilla-bteam/bmo/commit/1c734cc234ee6348f912b5b8422e707e11d3f8d9
[master] Bug 1989605 - Don't allow brand-new accounts to use the Triage Request Form to self-grant

Status: NEW → RESOLVED

Closed: 2 months ago

Resolution: --- → FIXED

You need to log in before you can comment on or make changes to this bug.

Bugzilla

Don't allow brand-new accounts to use the Triage Request Form to self-grant `canconfirm`

Categories

(bugzilla.mozilla.org :: General, enhancement, P2)

Tracking

()

People

(Reporter: dveditz, Unassigned)

References

Details

(Keywords: bmo-triaged)

Crash Data

Security

(public)

User Story

Attachments

(1 file)

Description

Comment 1

Comment 2

Comment 3

Comment 4

Attachment

General

Description

File Name

Content Type