993218 - Only allow users with editbugs to log in and perform actions

Status: RESOLVED WONTFIX

(MozReview Graveyard :: General, defect, P2)

Description

[Mark Côté [:mcote]]

In Bugzilla, most attachment-flag operations are restricted to members of the editbugs group.  Thus, we should restrict login and write actions in Review Board to these members.

The exception, as recently implemented, is that requestees can also set the flag value, so that you can ask any user for a review or feedback regardless of their groups.

For starters, I think we should still enforce editbugs membership; we can refine later.

Comment 1

[Mark Côté [:mcote]]

We need to test every time a user tries to write changes, since their membership can change at any time.  I think we can do this check when a user publishes changes in the UI and in web API calls.  We'll need to make sure it's a pre-commit hook so that the action is not recorded in Review Board if it fails the permission check.

We also need to make sure there's a useful error displayed/returned to the user.

Comment 2

[Mark Côté [:mcote]]

Not critical for initial launch.

Comment 3

[Gregory Szorc [:gps]]

Is this still necessary?

Comment 4

[Mark Côté [:mcote]]

No, thinking about this more, it's a bad idea, since it would prevent a new user from publishing a review request.  The problem is that only editbugs users will be able to do a "ship it", since setting a flag to anything other than ? is disallowed unless you have editbugs... I think.

Really we should just be deferring to BMO permissions and presenting clear errors when someone attempts to do something that they don't have permission to do.  That way we don't have to update rbbz if we change policies in BMO.