Closed Bug 652345 Opened 14 years ago Closed 14 years ago

SecureMail extension should encrypt password reset mail regardless of group membership if the user has provided a key

Categories

(bugzilla.mozilla.org :: Extensions, defect)

Product:
bugzilla.mozilla.org
Component:
Extensions
Version:
Production
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: justdave, Assigned: gerv)

References

Details

(Whiteboard: [securemail])

Attachments

(1 file, 1 obsolete file)

Patch v.2
1.45 KB, patch
dkl
: review+
Details | Diff | Splinter Review 
What the summary says...

The SecureMail extension should encrypt password reset mail regardless of group membership if the user has provided a key to encrypt it with in their preferences.
Attached patch Patch v.1 (obsolete) — Splinter Review 
This should do the trick.

Gerv
Assignee: nobody → gerv
Status: NEW → ASSIGNED
Attachment #528118 - Flags: review?(dkl)
Attachment #528118 - Flags: feedback?(justdave)
Comment on attachment 528118 [details] [diff] [review]
Patch v.1

Review of attachment 528118 [details] [diff] [review]:

::: extensions/SecureMail/Extension.pm
@@ +220,2 @@
                 $make_secure = 0;
+            

t/001compile.t ....... 30/176 Missing right curly or square bracket at ./extensions/SecureMail/Extension.pm line 326, at end of line
syntax error at ./extensions/SecureMail/Extension.pm line 326, at EOF
Compilation failed in require at Bugzilla/Extension.pm line 82.
Attachment #528118 - Flags: review?(dkl)
Attachment #528118 - Flags: review-
Attachment #528118 - Flags: feedback?(justdave)
Attached patch Patch v.2Splinter Review 
No idea what happened there; a typo just before I uploaded. Try this.

Gerv
Attachment #528118 - Attachment is obsolete: true
Attachment #528146 - Flags: review?(dkl)
Component: Bugzilla: Other b.m.o Issues → Extensions
Product: mozilla.org → bugzilla.mozilla.org
QA Contact: other-bmo-issues → bmo-exts
Version: other → Current
Whiteboard: [securemail]
Comment on attachment 528146 [details] [diff] [review]
Patch v.2

Review of attachment 528146 [details] [diff] [review]:

Looks good. Today I added an extensions/SecureMail/template/en/default/pages/securemail/help.html.tmpl that is a copy of the BMO/Keys wiki text.
Please update the text to show that having a key uploaded will always encrypt password reset emails regardless of group membership. r=dkl
Attachment #528146 - Flags: review?(dkl) → review+
Committing to: bzr+ssh://bzr.mozilla.org/bmo/4.0/
modified extensions/SecureMail/Extension.pm
Committed revision 7630.   

dkl: why move that help text into a page.cgi page rather than the wiki page? Surely that just makes it harder to update?

Gerv
Status: ASSIGNED → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
If it's on the wiki, any Joe off the internet can come and edit it, unless we lock the page.  Locking the page makes it equivalently hard to edit as having it as a page.cgi template (find someone with the right permissions to edit it).
(In reply to comment #7)
> If it's on the wiki, any Joe off the internet can come and edit it, unless we
> lock the page.  Locking the page makes it equivalently hard to edit as having
> it as a page.cgi template (find someone with the right permissions to edit it).

Or we watch it and revert bogus edits. What could they change it to do? Do you think if it said "mail your private key to bugzilla-keys@gmail.com" anyone would be that dumb?

Gerv
Reason being is that we want anyone that wants to be able to use the extension on their own Bugzilla instance. So the help for the extension needs to be self-contained and not always pointing to Mozilla's wiki. The wiki page could change or go away and then everyone's help links become broken.

dkl
(In reply to comment #8)
> Do you think if it said "mail your private key to bugzilla-keys@gmail.com"
> anyone would be that dumb?

Yes.  Because I've seen it happen.  Phishing on the Internet wouldn't exist as a problem if everyone was smart enough to avoid that kind of thing.
Comment on attachment 528146 [details] [diff] [review]
Patch v.2

Review of attachment 528146 [details] [diff] [review]:
-----------------------------------------------------------------

::: extensions/SecureMail/Extension.pm
@@ +208,5 @@
>              }
>          }
>          elsif ($is_passwordmail) {
> +            # Mail is made unsecure only if the user does not have a public
> +            # key and is not in any security groups. So specifying a public

cool test review

@@ +211,5 @@
> +            # Mail is made unsecure only if the user does not have a public
> +            # key and is not in any security groups. So specifying a public
> +            # key OR being in a security group means the mail is kept secure
> +            # (but, as noted above, the check is the other way around because
> +            # we default to secure).

test patch review
Component: Extensions: Other → Extensions
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: