278781 - Need way to give users true read-only capability by product

Status: RESOLVED WORKSFORME

(Bugzilla :: User Interface, enhancement)

Description

[Kevin Benton]

Need to give users in a group (public) ability to search bugs not in their group
(private).  Need to give those same users the ability to make comments to those
bugs, but not allow any status changes, assignment changes, etc.  Users in the
private group also need to be able to change product/component/version, etc.
where users in the private group should only be allowed to post to a single
product.  Users in the private group can post wherever.

Seemingly obvious options:
1)  Add return 1; to can_see_bug line 1 in User.pm.
2)  Create everyonecanseeallbugs parameter, then make a similar change
    as above if the everyonecanseeallbugs parameter is true.
3)  Add new functionality to the product/component combination allowing
    a new parameter giving visibility to all users for a particular
    product/component.

other ideas?

Comment 1

[Bill Barry]

What are you talking about?

Something like a third permission on "use for bugs" groups?

On the user page:

Group Access:    Can turn this bit on for others
                 |  Is a private member of this group (has editing privs)
                 |  |  Is a public member of this group (has viewing privs)
                [ ][ ]    Admin
                [ ][ ]    bz_canusewhineatothers
                [ ][ ]    bz_canusewhines
                [ ][ ]    ...
                [ ][ ][ ] Securityconcerns
                [ ][ ][ ] FeatureRequests
                [ ][ ][ ] TopSecret

Comment 2

[Marc Schumann [:Wurblzap]]

Being in all mandatory groups of a product makes you a Searcher, Viewer and Commenter. Being in all CANEDIT groups of a product makes you an Editor. I think it's all there, isn't it? WORKSFORME as far as I can tell.

Comment 3

[Frédéric Buclin]

I agree with WFM. What you try to do is described in comment 2. And we don't want to give more power to users not being in any group.

Comment 4

[Kevin Benton]

(In reply to comment #2)
> Being in all mandatory groups of a product makes you a Searcher, Viewer and
> Commenter. Being in all CANEDIT groups of a product makes you an Editor.

The reason I made this request (way back in '05) was to prevent general users from being able to even comment on a bug but still give them rights to see the bug's contents, thus making the bug truly read-only.

This is important for products that have been retired but remain in Bugzilla (for the purpose of archival of lessons learned and root cause analysis for example).  If additional comments need to be made, users should open a new bug in the appropriate product because the "old" product is closed.  Only those who have appropriate privileges should be authorized to update bugs in "archived" products.

(In reply to comment #3)
> I agree with WFM. What you try to do is described in comment 2. And we don't
> want to give more power to users not being in any group.

As I see it, this isn't giving more power to users not being in any group, I want to be able to grant all users the ability to view only by default (that can be taken away if there's a group restriction on a bug that prevents viewing), but not give them comment/edit capability.

From the group management screen in editproducts.cgi:

Group  	Entry  	MemberControl  	OtherControl  	Canedit  	editcomponents  	canconfirm  	editbugs  	Bugs

Becomes...

Group  	Entry  	MemberControl  	OtherControl  	Canedit  	Cancomment editcomponents  	canconfirm  	editbugs  	Bugs

Notice the new column - CanComment

Comment 5

[Frédéric Buclin]

AFAIK, you cannot comment *at all* if CANEDIT is set and you are not in the corresponding group. So this is still WFM.

Comment 6

[Max Kanat-Alexander]

Yes, that's what canedit is for. As far as improving the general way such permissions work, that would be a different bug.