Open Bug 545176 Opened 14 years ago Updated 9 years ago

allow everybody to set the private flag, not just members of insider group

Categories

(Bugzilla :: Attachments & Requests, enhancement)

Product:
Bugzilla
Component:
Attachments & Requests
Version:
3.4.5
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

()

People

(Reporter: luca, Unassigned)

References

(
URL
)

Details

User-Agent:       Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; it; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7
Build Identifier: Firefox 3.5.7

According to http://www.bugzilla.org/features/#private the current way "private comments/attachments" works is:

---
If you are in the "insider group," you can mark certain attachments and comments as private, and then they will be invisible to users who are not in the insider group.
---

This is not flexible enough for us: we want our users to be able to mark their  comments/attachments as private, but they must not be able to view private comments/attachments sent by other users.

Previously it was possible to mark comments/attachments as private without being in the insidergroup.

Am I missing something?

To achieve maximum flexibility, it would be great to have two separated groups: one which has the privilege to set the private flag and one which has the privilege to read anything with the private flag.

The author of a private comment/attachment should be always able to view it, regardless of the flags.


Reproducible: Always
Summary: unable to set attachments as private by default → allow everybody to set the private flag, not just members of insider group
Isn't it enough to restrict the bug itself to a group?
Severity: minor → enhancement
OS: Linux → All
Hardware: x86 → All
Version: unspecified → 3.4.5
The text of the bug report shall be public (so that we don't get too many duplicate bugs), just the attachment shall be private.

Attachments usually contain sensitive information.
(In reply to comment #0)
> Previously it was possible to mark comments/attachments as private without
> being in the insidergroup.
> 
> Am I missing something?

  Perhaps that was a local customization, because that was never possible. 

  I certainly see the use case for your organization, but in general we're pretty opposed to allowing people to do things that they can't undo. Perhaps we should always allow comment authors and attachment creators to see their own private things--that would handle the problem.
Status: UNCONFIRMED → NEW
Ever confirmed: true
(In reply to comment #3)
> should always allow comment authors and attachment creators to see their own
> private things--that would handle the problem.

Attachment creators can always see their own attachments.
You need to log in before you can comment on or make changes to this bug.