282485 - Specific search returns bugs not associated with group

Status: RESOLVED INVALID

(Bugzilla :: Query/Bug List, enhancement)

Description

[James Lowell]

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0

When on the search page the 'Product' ring list shows all products associated
with the logged in user's group.  If the user leaves the ring list at the
default position of 'All' the results page show all the bugs in the database,
not just the ones associated with the group.

Reproducible: Always

Steps to Reproduce:
1. Log in to Bugzilla with a user who is part of a group
2. Click on the 'Search' link
3. Verify that only the products in the group are displayed in the 'Product'
ring list
4. Select 'All' in the 'Product' ring list
5. Click the 'Search' button

Actual Results:  
All the bugs in the database are displayed.

Expected Results:  
Only the bugs that are associated with user's group should be displayed.

Comment 1

[James Lowell]

The debug SELECT statement from after clicking the 'Search' button:
SELECT bugs.bug_id, bugs.bug_severity, bugs.priority, bugs.bug_status,
bugs.resolution, bugs.bug_severity, bugs.priority, bugs.rep_platform,
map_assigned_to.login_name, bugs.bug_status, bugs.resolution, bugs.short_desc
FROM bugs, profiles AS map_assigned_to LEFT JOIN bug_group_map ON
bug_group_map.bug_id = bugs.bug_id AND bug_group_map.group_id NOT IN (15) LEFT
JOIN cc ON cc.bug_id = bugs.bug_id AND cc.who = 19 WHERE bugs.assigned_to =
map_assigned_to.userid AND (bugs.bug_status IN
('UNCONFIRMED','NEW','ASSIGNED','REOPENED')) AND ((bug_group_map.group_id IS
NULL) OR (bugs.reporter_accessible = 1 AND bugs.reporter = 19) OR
(bugs.cclist_accessible = 1 AND cc.who IS NOT NULL) OR (bugs.assigned_to = 19) )
GROUP BY bugs.bug_id

I notice that "Bug_group_map.group_id NOT IN (15)" is in the first half of the
statement, but "(bug_group_map.group_id IS NULL)" in the second.  One would
think they should both be "NOT IN (15)"

Comment 2

[Dave Miller [:justdave]]

Ummm, there is no "All" in the product list on the query page.  Where are you
seeing this?  This is likely a local customization someone has added to the
Bugzilla you're seeing this on, and they missed something when creating it.

If this is actually something on an out-of-the-box Bugzilla, please reopen this bug.

Comment 3

[James Lowell]

Just pulled the Bugzilla 2.18 off http://www.bugzilla.org and copied the *.cgi,
*.pl and all the files in the template directory over my existing installation.
 There is most definitly an 'All' in the 'Prodct' drop down list.  I can see it
in the "search-specific.html.tmpl" file that creates the search page.

Comment 4

[Marc Schumann [:Wurblzap]]

James, you're talking about the "Specific Search" variant of the Search page,
right? I think Dave was talking about the "Advanced Search" variant.

Comment 5

[James Lowell]

Yes I am talking about the Specific search, but the issue shows itself with the
advanced search too.  If you don't select any products it will return results
just like the 'All' on the 'Products' drop down list.

Comment 6

[Marc Schumann [:Wurblzap]]

Haven't confirmed yet, neither did I understand it completely. Setting
webtools-security just in case.

Let me rephrase for clarification -- is what you're saying that you have a
mandatory group for a product, and users not in that group get bugs in that
product listed in buglist.cgi, provided they don't restrict their search on a
product?

Comment 7

[James Lowell]

1. Assume GroupA, GroupB, UserA, UserB and ProductA.
2. ProductA has 'Show/NA' with 'Entry' set for GroupA and 'NA/NA' for GroupB.
3. UserA is in GroupA and UserB in in GroupB.
4. In the Search page UserA can see ProductA and UserB cannot (as expected).
5. If UserB sets the 'Product' drop down list in 'All' or does not select any
product and clicks the 'Search' button he will see bugs for ProductA.

Comment 8

[Marc Schumann [:Wurblzap]]

Ok, so that's no security thing then, because bug visibility is as expected.

The behaviour is by design:

The product (meaning: its bugs) is hidden when you use mandatory bugs.

The product (meaning: its appearance in search form select fields) is hidden by
conditions depending on the useentrygroupdefault param (see its description).

Comment 9

[Frédéric Buclin]

Marc, is this a dupe of bug 208432?

Comment 10

[Joel Peshkin]

Be very careful with any changes in this area.  We don't want to make it
impossible for a user to search for a bug that the user is supposed to be able
to see even if the bug is in a product the user could not select.

Comment 11

[Marc Schumann [:Wurblzap]]

(In reply to comment #9)
> Marc, is this a dupe of bug 208432?

I don't think so. I'd say this bug here aims for the exact opposite. James?

Comment 12

[James Lowell]

I found that using 'Mandatory/Mandatory' w/ 'Entry' functions the way I wanted.
 But it still seems there is an issue with a user being able to see bugs they
shouldn't.  If a user is created to see only certian products in the 'Product'
ring list one would assume that they should not be able to see bugs in other
products.  Some people might call the current behavior a feature and there is a
valid work around therefore it might be best to leave it alone.  This behavior
should be noted in the documentation for Groups though so people are not caught
by surprise when a customer can see all projects (and there bugs) within a company.

Comment 13

[Marc Schumann [:Wurblzap]]

Marking INVALID.

Regarding documentation -- there is groups control documentation at
http://www.bugzilla.org/docs/tip/html/groups.html (describing how to set up
which bugs users can or cannot see), and the useentrygroupdefault parameter is
documented on the ediparams.cgi page and at
http://www.bugzilla.org/docs/tip/html/parameters.html (describing how to set up
which products users can see at the search pages).