Closed Bug 656716 Opened 14 years ago Closed 14 years ago

obsolete.fax@gmail.com spammed a bunch of blocking flags without editbugs

Categories

(bugzilla.mozilla.org :: Administration, task)

Product:
bugzilla.mozilla.org
Component:
Administration
Version:
Production
Type:
task
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: benjamin, Unassigned)

References

Details

Attachments

(1 file)

Patch to require privs to unset a set tracking flag (v1)
783 bytes, patch
glob
: review+
Details | Diff | Splinter Review
obsolete.fax@gmail.com made a bunch of unwelcome blocking nominations, such as in https://bugzilla.mozilla.org/show_activity.cgi?id=409737. But according to his user history, his editbugs privs were revoked 2010.05.24, and those flags are supposed to be limited to users with editbugs privileges. Can we check and see whether the flags are configured correctly, or how this spammage happened?
The ability to nominate blocking flags is not restricted to certain groups (and has never been). However, if obsolete.fax@gmail.com has done this before, his/her account could just be disabled.
Per bug 648555, the tracking flags should be nominatable by only people with editbugs. Can we please make that change? I will deal with this particular instance separately, I don't think revoking the account is warranted (yet).
Blocks: 648555
I seem to be getting a lot of bugmail today where he is making flag changes. https://bugzilla.mozilla.org/show_activity.cgi?id=572661 is another example.
Reopened bug 648555 as it needs some work to block users from requesting who are not in the 'editbugs' group. dkl
Blocks: 657382
(In reply to comment #1) > The ability to nominate blocking flags is not restricted to certain groups > (and has never been). However, if obsolete.fax@gmail.com has done this > before, his/her account could just be disabled. I don't see it documented anywhere "don't nominate things unless you know what you're doing", and in fact we invite our beta audience (on branches, anyway) to over-nominate out of fear we'll miss something important. Unless (s)he's been explicitly warned disabling the account doesn't seem fair, it looked like a good-faith effort to advocate for certain bugs.
https://bugzilla.mozilla.org/page.cgi?id=user_activity.html&action=run&who=obsolete.fax%40gmail.com&from=2011-05-01&to=2011-05-16 something which concerns me is the clearing of a bunch of flags at the end of the report. the current flag security code allows for this, however i'm not sure if this is by design or a bug. to me it makes sense that if only trusted accounts can set the flag, then likewise only trusted accounts should be able to clear the flag once set.
OS: Windows 7 → All
Hardware: x86 → All
First crack at this issue. The patch basically requires the user to have empowerment if they are either setting a flag to a value other then ---, ? or to set it back to ---, ? from a granted state. dkl
Attachment #532867 - Flags: review?(glob)
(In reply to comment #8) > Attachment #532867 [details] [diff] Flags: review?(glob@mozilla.com) > Patch to require privs to unset a set tracking flag (v1) i'll hold off on the review until we have feedback that this is the desired behavour.
That sounds reasonable, but I still believe we should just require editbugs to set the flag. FWIW, I mailed obsolete.fax directly, and after some discussion I do not believe that he will be changing the tracking flags in the future.
Comment on attachment 532867 [details] [diff] [review] Patch to require privs to unset a set tracking flag (v1) r=glob
Attachment #532867 - Flags: review?(glob) → review+
(In reply to comment #10) > That sounds reasonable, but I still believe we should just require editbugs > to set the flag. Yeah this patch fixes a different issue in that I feel that only people of privilege should be able to un-GRANT a flag once it has been set. The original issue you were concerned with is the ability to nominate the flag in the first place. dkl
(In reply to comment #11) > Comment on attachment 532867 [details] [diff] [review] [review] > Patch to require privs to unset a set tracking flag (v1) > > r=glob Committing to: bzr+ssh://dlawrence%40mozilla.com@bzr.mozilla.org/bmo/4.0 modified extensions/BMO/Extension.pm Committed revision 7705 dkl
Open a new bug if there is still any issues related to tracking flags. dkl
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: