User's permissions should be checked when autolinkifying bug ids in comments




7 years ago
16 days ago


(Reporter: koosha.khajeh, Unassigned)



(Whiteboard: [good first bug][lang=perl] )


(1 attachment, 1 obsolete attachment)

1.15 KB, patch
: review-
Details | Diff | Splinter Review


7 years ago
Right now, when autolinkying bug ids (in case of the existence of those ids) in comments, all bugs are linkified regardless of user's permissions.

So, if I click on a linkfied bug id that I do not have the required permission to see that, I will see the respective error. In this case, it would be a good idea to not linkify the bug id. Instead, we could use the tag <abbr> or <acronym> with a text like "You are not allowed to see this bug."

Comment 1

7 years ago
Note that the link contains the status and resolution of the bug. We shouldn't loose this information. But your proposal makes sense, assuming it's clear to users why they cannot click some "bug XXX" links while some others work.

Comment 2

7 years ago
Posted patch patch - v1 (obsolete) — Splinter Review
Attachment #645105 - Flags: review?(LpSolit)

Comment 3

7 years ago
Comment on attachment 645105 [details] [diff] [review]
patch - v1

>=== modified file 'template/en/default/bug/link.html.tmpl'

>+[% IF NOT user.can_see_bug(bug) %]
>+    <abbr title="[% link_title FILTER collapse FILTER html %]">
>+        [%~ link_text FILTER html %]</abbr>
>+    [% RETURN %]
>+[% END %]

If we follow this path, then you should put this code into a [% ELSE %] block following the existing [% IF user.can_see_bug(bug) %] block with all the relevant code in it. This is logically much nicer than the RETURN directive inserted here.

Now thinking about it a bit more, I often click on bugs I cannot see (because I'm logged out) because I know Bugzilla will ask me to log in to see it and so I will be able to enter my credentials and view the secure bug automatically. If we replace the link by <abbr>, then I won't be able to click on it at all and I will first have to log in, and then click on the link, which is not a big deal. :) I wonder if using a CSS class similar to the existing 'forbidden' class in admin.css wouldn't be better. This way, the text would look like not clickable, but could still be clicked by advanced users. Seems like a good compromise to me.
Attachment #645105 - Flags: review?(LpSolit) → review-


7 years ago
Target Milestone: --- → Bugzilla 4.4

Comment 4

7 years ago
Posted patch patch - v1.1Splinter Review
Assignee: ui → koosha.khajeh
Attachment #645105 - Attachment is obsolete: true
Attachment #651510 - Flags: review?(LpSolit)

Comment 5

7 years ago
Comment on attachment 651510 [details] [diff] [review]
patch - v1.1

As I said in comment 3, leave "bug XXX" as clickable, but use CSS to alter the way it's displayed to users who cannot access the bug.
Attachment #651510 - Flags: review?(LpSolit) → review-


7 years ago
Target Milestone: Bugzilla 4.4 → Bugzilla 5.0


7 years ago
Assignee: koosha.khajeh → ui


7 years ago
Whiteboard: [Good Intro Bug]
Whiteboard: [Good Intro Bug] → [good first bug][lang=perl]
Target Milestone: Bugzilla 5.0 → ---
Dylan, can you confirm that this bug is still valid in the current code base?  If so, could you relink to where the source is, what file to edit and add a mentor to the bug?
Flags: needinfo?(dylan)
This is still a valid bug.
Flags: needinfo?(dylan)
I'm a newbie, but maybe I can work on this bug ? thanks

Comment 9

2 years ago
No assignee is set so anyone can work on this - no 'permissions' in general. :)
Keywords: good-first-bug

Removing good-first-bug keyword because team does not have bandwidth to mentor at the moment.

Keywords: good-first-bug
You need to log in before you can comment on or make changes to this bug.