Open Bug 862134 Opened 11 years ago Updated 11 years ago

Dependency graph shows dependencies that the user cannot see

Categories

(Bugzilla :: Dependency Views, defect)

Product:
Bugzilla
Component:
Dependency Views
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
minor

Tracking

()

People

(Reporter: mail, Unassigned)

Details

I have four bugs. Bug One depends on Bug Two which depends on Bug Three which depends on Bug Four. Bug Two and Bug Three are private. If I view the dependency graph for Bug One, I can see all four bugs. This should not be because the user is unaware that Bug Two depends on Bug Three.

An example of this is at the tip:
https://landfill.bugzilla.org/bugzilla-tip/showdependencygraph.cgi?id=20901

I would expect Bugs Three and Four not to be shown.

This is similar to bug 370883, but for dependency graphs, not trees.
This is not a security bug either. You still don't know what these bugs are about. And the other bug is public anyway, so this "vulnerability" is already in the wild.
Group: bugzilla-security
Severity: normal → minor
You need to log in before you can comment on or make changes to this bug.