I faced this one with my private installation of BugZilla 2.12 (see URL). If you log in a user that isn't allowed to view all groups assinged to products, the products he has no permissions for are excluded in enter_bug.cgi as well as in query.cgi - but they still show up in describecomponents.cgi I even can view all entries there if I'm not logged in as any user...
One potential security hole with this patch is that if a product doesn't exist the error message says the product name is invalid, but if a product exists and the user is not authorized to access it then the error message says the user is not authorized. This could potentially allow someone to guess at product names in order to find out which products exist in the database, even if they would not be able to get any other information about that product. I'm not sure whether this can be considered enough of a security hole that we should print the same message in both situations. It is similar to the situation where a cracker enters a correct login name but incorrect password. Do we let them know the login name was correct?
Adding "review" keyword to get these on the radars of reviewers (if they aren't already).
we don't. we just say the password is invalid. i don't think that's something to worry about overly much, but feel free to point out that i'm wrong if you think of something else. test on main landfill install looks good. r=tara
Moving to Bugzilla product