User's permissions should be checked when autolinkifying bug ids in comments

NEW
Unassigned

Status

()

Bugzilla
User Interface
--
enhancement
5 years ago
3 months ago

People

(Reporter: Koosha KM, Unassigned)

Tracking

({good-first-bug})

Details

(Whiteboard: [good first bug][lang=perl] )

Attachments

(1 attachment, 1 obsolete attachment)

1.15 KB, patch
Frédéric Buclin
: review-
Details | Diff | Splinter Review
(Reporter)

Description

5 years ago
Right now, when autolinkying bug ids (in case of the existence of those ids) in comments, all bugs are linkified regardless of user's permissions.

So, if I click on a linkfied bug id that I do not have the required permission to see that, I will see the respective error. In this case, it would be a good idea to not linkify the bug id. Instead, we could use the tag <abbr> or <acronym> with a text like "You are not allowed to see this bug."

Comment 1

5 years ago
Note that the link contains the status and resolution of the bug. We shouldn't loose this information. But your proposal makes sense, assuming it's clear to users why they cannot click some "bug XXX" links while some others work.
(Reporter)

Comment 2

5 years ago
Created attachment 645105 [details] [diff] [review]
patch - v1
Attachment #645105 - Flags: review?(LpSolit)

Comment 3

5 years ago
Comment on attachment 645105 [details] [diff] [review]
patch - v1

>=== modified file 'template/en/default/bug/link.html.tmpl'

>+[% IF NOT user.can_see_bug(bug) %]
>+    <abbr title="[% link_title FILTER collapse FILTER html %]">
>+        [%~ link_text FILTER html %]</abbr>
>+    [% RETURN %]
>+[% END %]

If we follow this path, then you should put this code into a [% ELSE %] block following the existing [% IF user.can_see_bug(bug) %] block with all the relevant code in it. This is logically much nicer than the RETURN directive inserted here.

Now thinking about it a bit more, I often click on bugs I cannot see (because I'm logged out) because I know Bugzilla will ask me to log in to see it and so I will be able to enter my credentials and view the secure bug automatically. If we replace the link by <abbr>, then I won't be able to click on it at all and I will first have to log in, and then click on the link, which is not a big deal. :) I wonder if using a CSS class similar to the existing 'forbidden' class in admin.css wouldn't be better. This way, the text would look like not clickable, but could still be clicked by advanced users. Seems like a good compromise to me.
Attachment #645105 - Flags: review?(LpSolit) → review-

Updated

5 years ago
Target Milestone: --- → Bugzilla 4.4
(Reporter)

Comment 4

5 years ago
Created attachment 651510 [details] [diff] [review]
patch - v1.1
Assignee: ui → koosha.khajeh
Attachment #645105 - Attachment is obsolete: true
Status: NEW → ASSIGNED
Attachment #651510 - Flags: review?(LpSolit)

Comment 5

5 years ago
Comment on attachment 651510 [details] [diff] [review]
patch - v1.1

As I said in comment 3, leave "bug XXX" as clickable, but use CSS to alter the way it's displayed to users who cannot access the bug.
Attachment #651510 - Flags: review?(LpSolit) → review-

Updated

5 years ago
Target Milestone: Bugzilla 4.4 → Bugzilla 5.0
(Reporter)

Updated

5 years ago
Assignee: koosha.khajeh → ui
Status: ASSIGNED → NEW
(Reporter)

Updated

5 years ago
Whiteboard: [Good Intro Bug]
Whiteboard: [Good Intro Bug] → [good first bug][lang=perl]

Updated

3 years ago
Target Milestone: Bugzilla 5.0 → ---
Dylan, can you confirm that this bug is still valid in the current code base?  If so, could you relink to where the source is, what file to edit and add a mentor to the bug?
Flags: needinfo?(dylan)
This is still a valid bug.
Flags: needinfo?(dylan)
I'm a newbie, but maybe I can work on this bug ? thanks

Comment 9

7 months ago
No assignee is set so anyone can work on this - no 'permissions' in general. :)
Keywords: good-first-bug
You need to log in before you can comment on or make changes to this bug.