SecureMail extension should encrypt password reset mail regardless of group membership if the user has provided a key

RESOLVED FIXED

Status

()

bugzilla.mozilla.org
Extensions: Other
RESOLVED FIXED
6 years ago
5 years ago

People

(Reporter: justdave, Assigned: gerv)

Tracking

Production

Details

(Whiteboard: [securemail])

Attachments

(1 attachment, 1 obsolete attachment)

What the summary says...

The SecureMail extension should encrypt password reset mail regardless of group membership if the user has provided a key to encrypt it with in their preferences.
(Assignee)

Comment 1

6 years ago
Created attachment 528118 [details] [diff] [review]
Patch v.1

This should do the trick.

Gerv
Assignee: nobody → gerv
Status: NEW → ASSIGNED
Attachment #528118 - Flags: review?(dkl)
Attachment #528118 - Flags: feedback?(justdave)
Comment on attachment 528118 [details] [diff] [review]
Patch v.1

Review of attachment 528118 [details] [diff] [review]:

::: extensions/SecureMail/Extension.pm
@@ +220,2 @@
                 $make_secure = 0;
+            

t/001compile.t ....... 30/176 Missing right curly or square bracket at ./extensions/SecureMail/Extension.pm line 326, at end of line
syntax error at ./extensions/SecureMail/Extension.pm line 326, at EOF
Compilation failed in require at Bugzilla/Extension.pm line 82.
Attachment #528118 - Flags: review?(dkl)
Attachment #528118 - Flags: review-
Attachment #528118 - Flags: feedback?(justdave)
(Assignee)

Comment 3

6 years ago
Created attachment 528146 [details] [diff] [review]
Patch v.2

No idea what happened there; a typo just before I uploaded. Try this.

Gerv
Attachment #528118 - Attachment is obsolete: true
Attachment #528146 - Flags: review?(dkl)
Duplicate of this bug: 652868

Updated

6 years ago
Component: Bugzilla: Other b.m.o Issues → Extensions
Product: mozilla.org → bugzilla.mozilla.org
QA Contact: other-bmo-issues → bmo-exts
Version: other → Current

Updated

6 years ago
Whiteboard: [securemail]
Comment on attachment 528146 [details] [diff] [review]
Patch v.2

Review of attachment 528146 [details] [diff] [review]:

Looks good. Today I added an extensions/SecureMail/template/en/default/pages/securemail/help.html.tmpl that is a copy of the BMO/Keys wiki text.
Please update the text to show that having a key uploaded will always encrypt password reset emails regardless of group membership. r=dkl
Attachment #528146 - Flags: review?(dkl) → review+
(Assignee)

Comment 6

6 years ago
Committing to: bzr+ssh://bzr.mozilla.org/bmo/4.0/
modified extensions/SecureMail/Extension.pm
Committed revision 7630.   

dkl: why move that help text into a page.cgi page rather than the wiki page? Surely that just makes it harder to update?

Gerv
Status: ASSIGNED → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → FIXED
If it's on the wiki, any Joe off the internet can come and edit it, unless we lock the page.  Locking the page makes it equivalently hard to edit as having it as a page.cgi template (find someone with the right permissions to edit it).
(Assignee)

Comment 8

6 years ago
(In reply to comment #7)
> If it's on the wiki, any Joe off the internet can come and edit it, unless we
> lock the page.  Locking the page makes it equivalently hard to edit as having
> it as a page.cgi template (find someone with the right permissions to edit it).

Or we watch it and revert bogus edits. What could they change it to do? Do you think if it said "mail your private key to bugzilla-keys@gmail.com" anyone would be that dumb?

Gerv
Reason being is that we want anyone that wants to be able to use the extension on their own Bugzilla instance. So the help for the extension needs to be self-contained and not always pointing to Mozilla's wiki. The wiki page could change or go away and then everyone's help links become broken.

dkl
(In reply to comment #8)
> Do you think if it said "mail your private key to bugzilla-keys@gmail.com"
> anyone would be that dumb?

Yes.  Because I've seen it happen.  Phishing on the Internet wouldn't exist as a problem if everyone was smart enough to avoid that kind of thing.

Comment 11

5 years ago
Comment on attachment 528146 [details] [diff] [review]
Patch v.2

Review of attachment 528146 [details] [diff] [review]:
-----------------------------------------------------------------

::: extensions/SecureMail/Extension.pm
@@ +208,5 @@
>              }
>          }
>          elsif ($is_passwordmail) {
> +            # Mail is made unsecure only if the user does not have a public
> +            # key and is not in any security groups. So specifying a public

cool test review

@@ +211,5 @@
> +            # Mail is made unsecure only if the user does not have a public
> +            # key and is not in any security groups. So specifying a public
> +            # key OR being in a security group means the mail is kept secure
> +            # (but, as noted above, the check is the other way around because
> +            # we default to secure).

test patch review
You need to log in before you can comment on or make changes to this bug.