1) Turn on strict_isolation. 2) Create a product that's mandatory/mandatory on any group. 3) Create a bug that's assigned to somebody not in that group. Or with a QA Contact who's not in that group. Or a CC-list member who's not in that group. 4) Bugzilla lets you. This is because we check can_edit_product in post_bug when we really should also be checking can_see_product.
Created attachment 234840 [details] [diff] [review] Patch
Humm... wait, please read bug 309681 comment 7 from joel first: "From my standpoint, we want to prevent the addition of any user who would violate a CANEDIT restriction on a bug. It is less a matter of keeping the user from seing the bug as it is to keep the others who can see the bug from seeing the user." This would make this bug to be invalid.
joel, what is your initial intention? There seems to be some contradition between being able to access/see/view bugs in a product and being able to edit bugs in this product. There is no relationship between edit and view, i.e. all 4 combinations of edit/view are possible. Which ones are we interested in with this strict_isolation feature? FWIW, I don't think this is a security bug, but a policy bug.
I'm OK with further tightening it so the user has to be able to both see and edit the product. We just have to make sure that we require both rather than substituting the seeing for editing. I'm not sure if we want to handle this as a security bug, though. Should we?
No, it's not a security bug, for the reason that we didn't intend to make sure the user could see the product. So post_bug.cgi (and probably other scripts too) behaves correctly.
Comment on attachment 234840 [details] [diff] [review] Patch bitrotten due to (massive) post_bug.cgi changes. (likely) see Bugzilla/Bug.pm instead.
I don't want to break 2.22 with this bug.
Created attachment 261846 [details] [diff] [review] Patch Update
Comment on attachment 261846 [details] [diff] [review] Patch r=LpSolit assuming you tested it successfully on Bugzilla 3.1.2+ (just in case something weird changed in the code these last few weeks).
Marc, please comment when you have tested your patch on the current trunk. Holding approval meanwhile.
Ok, I tested assigning a new bug to a user not in a mandatory group of the product, and it did prevent me from doing it. Switching strict_isolation off, I'm allowed.
Checking in Bugzilla/Bug.pm; /cvsroot/mozilla/webtools/bugzilla/Bugzilla/Bug.pm,v <-- Bug.pm new revision: 1.205; previous revision: 1.204 done
Added to the release notes for Bugzilla 3.2 in a patch on bug 432331.