Closed Bug 916999 Opened 12 years ago Closed 12 years ago

Bug.update should require update_token provided by Bug.get to commit changes

Categories

(Bugzilla :: WebService, enhancement)

Product:
Bugzilla
Component:
WebService
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED WONTFIX

People

(Reporter: dkl, Assigned: dkl)

Details

Currently Bug.get will provide an 'update_token' if you view a bug and you are logged in. This update_token although is not required when making changes to the bug and is only used currently by the possible_duplicates feature to add a user to the cc list of a bug. It would be better if Bug.update required that the token be passed in to make any changes. This would although require the user to first get the token using Bug.get before submitting a change but I don't feel that is unreasonable. Patch coming up dkl
What's the rationale to force the client to first call Bug.get? Do you have evidence of a security vulnerability if we don't do that? You already have to be logged in before calling Bug.update.
(In reply to David Lawrence [:dkl] from comment #0) > This would although require the user to first get the > token using Bug.get before submitting a change but I don't feel that is > unreasonable. I disagree with this. It should be possible to call Bug.update without calling Bug.get.
I just wanted to open up for discussion whether we should go this route for consistency with show_bug.cgi/process_bug.cgi and also that update-token is returned for Bug.get which may be confusing to the client. I do not know of a security reason for doing this as we do not allow cookie auth for GET, only POST/PUT. So I will close this out as it sounds like it is not needed at this time. dkl
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → INVALID
Resolution: INVALID → WONTFIX
Target Milestone: Bugzilla 5.0 → ---
You need to log in before you can comment on or make changes to this bug.