600668 - Able to change (at least) the status whiteboard via the web service even though usestatuswhiteboard is off

Status: RESOLVED WONTFIX

(Bugzilla :: WebService, defect)

Description

[Reed Loden [:reed]]

catlee was using BzAPI against https://landfill.bugzilla.org/bzapi_sandbox/ to test some new buildbot<->bugzilla integration. He noticed that the status whiteboard was not showing in the UI, yet he was still able to edit it using BzAPI. I checked the params, and 'usestatuswhiteboard' was set to off. Activity clearly shows that he was able to change the whiteboard even when the param was off. This should not be possible.

Comment 1

[Reed Loden [:reed]]

For the record, I'm not sure how BzAPI is updating the bug... not sure if it's using the web service or just sending data directly to process_bug.cgi.

Comment 2

[Frédéric Buclin]

Not a blocker. This behavior exists since 2.2 (yes, 2.2, not 2.20!). And this behavior is the same for all other fields controlled by a usefoo parameter. I agree that we shouldn't be able to edit an unused field, but this not a regression.

Comment 3

[Max Kanat-Alexander]

Actually (and I really need to write this up somewhere prominent), the general design plan is that field-controlling parameters control *ONLY* the web UI, except where it's logically required to have backend code (such as around the "alias" field). That is, the purpose of field parameters is to clean up the UI, and there's no need to do that in the API, so all disabled fields will still be accessible via the API, even if they don't show up in the web UI. The API *does* allow clients to discover that fields are disabled, though, via Bug.fields, so they can make their own decisions about how to treat disabled fields.

Comment 4

[Gervase Markham [:gerv]]

Reed: just for your info, BzAPI makes bug updates by submitting to process_bug.cgi.

Gerv