Closed Bug 993222 Opened 11 years ago Closed 11 years ago

Disallow reviews for confidential bugs

Categories

(MozReview Graveyard :: General, defect, P1)

Product:
MozReview Graveyard
Component:
General
Version:
Production
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: mcote, Unassigned)

References

Details

(Keywords: bmo-big)

While Review Board is in its initial stages of adoption, to lessen the security attack surface, we should disallow reviews for confidential bugs. They'll have to use the old Splinter tool. There are two parts to this: * When a review is published, verify that it isn't for a confidential bug. If it is, don't publish it, and throw up an error. We need to verify if draft reviews are publicly visible in Review Board; I don't think they are, but I'm not sure. * When a bug is made confidential, delete the associated review. The second part will require a Bugzilla extension, to be filed separately.
Depends on: 993223
We'll probably need a custom web API here, and it should return a diff generated from the review so that no work is lost, before it deletes the review.
Priority: -- → P1
For now, we'll just use the standard HTTP DELETE method and not worry about preserving the patch. I've disallowed posting to non-public bugs: https://github.com/mozilla/rbbz/commit/5573294073af632c281f9dffea429e6599e8bea6 Just need the Bugzilla extension for when bugs with existing reviews are made confidential.
Bugzilla extension is done and will be deployed next push.
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Product: bugzilla.mozilla.org → Developer Services
Product: Developer Services → MozReview
You need to log in before you can comment on or make changes to this bug.