User's permissions should be checked when autolinkifying bug ids in comments




7 years ago
5 months ago


(Reporter: koosha.khajeh, Unassigned)



(Whiteboard: [good first bug][lang=perl] )


(1 attachment, 1 obsolete attachment)

1.15 KB, patch
: review-
Details | Diff | Splinter Review
Right now, when autolinkying bug ids (in case of the existence of those ids) in comments, all bugs are linkified regardless of user's permissions.

So, if I click on a linkfied bug id that I do not have the required permission to see that, I will see the respective error. In this case, it would be a good idea to not linkify the bug id. Instead, we could use the tag <abbr> or <acronym> with a text like "You are not allowed to see this bug."
Note that the link contains the status and resolution of the bug. We shouldn't loose this information. But your proposal makes sense, assuming it's clear to users why they cannot click some "bug XXX" links while some others work.
Posted patch patch - v1 (obsolete) — Splinter Review
Attachment #645105 - Flags: review?(LpSolit)
Comment on attachment 645105 [details] [diff] [review]
patch - v1

>=== modified file 'template/en/default/bug/link.html.tmpl'

>+[% IF NOT user.can_see_bug(bug) %]
>+    <abbr title="[% link_title FILTER collapse FILTER html %]">
>+        [%~ link_text FILTER html %]</abbr>
>+    [% RETURN %]
>+[% END %]

If we follow this path, then you should put this code into a [% ELSE %] block following the existing [% IF user.can_see_bug(bug) %] block with all the relevant code in it. This is logically much nicer than the RETURN directive inserted here.

Now thinking about it a bit more, I often click on bugs I cannot see (because I'm logged out) because I know Bugzilla will ask me to log in to see it and so I will be able to enter my credentials and view the secure bug automatically. If we replace the link by <abbr>, then I won't be able to click on it at all and I will first have to log in, and then click on the link, which is not a big deal. :) I wonder if using a CSS class similar to the existing 'forbidden' class in admin.css wouldn't be better. This way, the text would look like not clickable, but could still be clicked by advanced users. Seems like a good compromise to me.
Attachment #645105 - Flags: review?(LpSolit) → review-
Target Milestone: --- → Bugzilla 4.4
Posted patch patch - v1.1Splinter Review
Assignee: ui → koosha.khajeh
Attachment #645105 - Attachment is obsolete: true
Attachment #651510 - Flags: review?(LpSolit)
Comment on attachment 651510 [details] [diff] [review]
patch - v1.1

As I said in comment 3, leave "bug XXX" as clickable, but use CSS to alter the way it's displayed to users who cannot access the bug.
Attachment #651510 - Flags: review?(LpSolit) → review-
Target Milestone: Bugzilla 4.4 → Bugzilla 5.0
Assignee: koosha.khajeh → ui
Whiteboard: [Good Intro Bug]
Whiteboard: [Good Intro Bug] → [good first bug][lang=perl]
Target Milestone: Bugzilla 5.0 → ---
Dylan, can you confirm that this bug is still valid in the current code base?  If so, could you relink to where the source is, what file to edit and add a mentor to the bug?
Flags: needinfo?(dylan)
This is still a valid bug.
Flags: needinfo?(dylan)
I'm a newbie, but maybe I can work on this bug ? thanks
No assignee is set so anyone can work on this - no 'permissions' in general. :)

Removing good-first-bug keyword because team does not have bandwidth to mentor at the moment.

Keywords: good-first-bug
You need to log in before you can comment on or make changes to this bug.