Closed
Bug 250605
Opened 20 years ago
Closed 20 years ago
Metadata changes on private attachments shown in bugmail to people not in the insidergroup
Categories
(Bugzilla :: Email Notifications, defect, P2)
Tracking
()
RESOLVED
FIXED
Bugzilla 2.18
People
(Reporter: bugreport, Assigned: bugreport)
Details
(Whiteboard: [does not affect 2.16.x] [fixed in 2.18rc3] [fixed in 2.19.1])
Attachments
(1 file)
|
1.15 KB,
patch
|
kiko
:
review+
justdave
:
review+
|
Details | Diff | Splinter Review |
If an attachment is private, requests and changes to the description, mime-type,
etc.. should also be private.
Best bet is to LEFT JOIN in the attachments when going through the bug, pull the
private flag, and or that into $anyprivate
|
Assignee | |
Comment 1•20 years ago
|
||
This should be nicely contained within BugMail.pm
If a diff involves an attachment and the attachment is private, then make sure
$anyprivate gets set.
Priority: -- → P2
Target Milestone: --- → Bugzilla 2.20
|
|
Assignee | |
Comment 2•20 years ago
|
||
|
|
Assignee | |
Updated•20 years ago
|
Attachment #154606 -
Flags: review?
|
|
Assignee | |
Comment 3•20 years ago
|
||
This really should wind up on 2.18
Status: NEW → ASSIGNED
Flags: blocking2.18?
Target Milestone: Bugzilla 2.20 → Bugzilla 2.18
|
||
Updated•20 years ago
|
Flags: blocking2.18? → blocking2.18+
|
|
||
Comment 4•20 years ago
|
||
This sounds like a case of information leakage?
|
|
||
Updated•20 years ago
|
Group: webtools-security
|
|
Assignee | |
Updated•20 years ago
|
Attachment #154606 -
Flags: review?(zach)
|
||
Comment 5•20 years ago
|
||
Comment on attachment 154606 [details] [diff] [review]
No difftext on bugmail regarding private attachments
Looks okay. You could:
- Use user->in_group() instead of keying the user->groups hash
- Perhaps use "insideronly" or something to avoid overloading isprivate to
indicate that it's only visible to isprivate, though IIRC that could be a
common convention in our code.
Simple enough to not require 2r=?
Attachment #154606 -
Flags: review? → review+
|
||
Updated•20 years ago
|
Whiteboard: patch awaiting second review or checkin
|
|
||
Updated•20 years ago
|
Attachment #154606 -
Flags: review?(zach)
|
|
||
Comment 6•20 years ago
|
||
holding approval for release day
Flags: approval?
Flags: approval2.18?
Whiteboard: patch awaiting second review or checkin → [does not affect 2.16.x] [ready for 2.18rc3] [ready for 2.19.1]
|
|
||
Comment 7•20 years ago
|
||
clarifying summary so we can tell this apart from bug 253544 on a buglist.
Summary: Metadata changes on private attachments should be private as well → Metadata changes on private attachments shown in bugmail to people not in the insidergroup
|
|
||
Comment 8•20 years ago
|
||
checked in on trunk:
Checking in Bugzilla/BugMail.pm;
/cvsroot/mozilla/webtools/bugzilla/Bugzilla/BugMail.pm,v <-- BugMail.pm
new revision: 1.16; previous revision: 1.15
done
and on 2.18 branch:
Checking in Bugzilla/BugMail.pm;
/cvsroot/mozilla/webtools/bugzilla/Bugzilla/BugMail.pm,v <-- BugMail.pm
new revision: 1.13.2.1; previous revision: 1.13
done
Status: ASSIGNED → RESOLVED
Closed: 20 years ago
Flags: approval?
Flags: approval2.18?
Flags: approval2.18+
Flags: approval+
Resolution: --- → FIXED
Whiteboard: [does not affect 2.16.x] [ready for 2.18rc3] [ready for 2.19.1] → [does not affect 2.16.x] [fixed in 2.18rc3] [fixed in 2.19.1]
|
||
Updated•12 years ago
|
QA Contact: matty_is_a_geek → default-qa
You need to log in
before you can comment on or make changes to this bug.
Description
•