Bug 824974

Summary: Partner field value is being removed when bug changed by user who is not able to set that Partner field value
Product: [Community] Bugzilla Reporter: John Villalovos <jvillalo>
Component: Creating/Changing BugsAssignee: Simon Green <sgreen>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: high Docs Contact:
Priority: unspecified    
Version: 4.2CC: dbayly, ebaak, hui.xiao, jane.lv, jbrier, jvillalo, jwilleford, keve.a.gabbert, salmy, sgreen, skibria
Target Milestone: 4.2-1Keywords: Reopened
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: 4.2.1-1.6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-05-28 02:14:27 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 786624    

Description John Villalovos 2012-05-24 17:59:41 UTC 
This has happened twice now.  Sami added a comment to the below bug and the Partner field was removed.

Email I received:

https://bugzilla.redhat.com/show_bug.cgi?id=791368

Sami Kibria <skibria> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
            Partner|Intel                       |

--- Comment #10 from Sami Kibria <skibria> ---
<censored>
Comment 1 John Villalovos 2012-05-24 20:05:14 UTC 
My guess is that this is happening when people who are unable to set the Partner field to an existing value make a change to the bug, the Partner field value then gets removed for that value.

I am starting to notice this happening when people who are not part of the Intel group modify bugs we have shared with them.
Comment 2 Simon Green 2012-05-25 00:35:08 UTC 

*** This bug has been marked as a duplicate of bug 825010 ***
Comment 3 John Villalovos 2012-05-25 00:36:56 UTC 
Simon,

Any chance I could have access to see Bug 825010?  Seems to be marked private.
Comment 4 Simon Green 2012-05-25 00:44:11 UTC 
(In reply to comment #3)
> Simon,
> 
> Any chance I could have access to see Bug 825010?  Seems to be marked
> private.

No, I'm changing the duplication to this bug to work around it.

  -- simon
Comment 5 Simon Green 2012-05-25 00:44:24 UTC 
*** Bug 825010 has been marked as a duplicate of this bug. ***
Comment 6 Simon Green 2012-05-25 07:19:45 UTC 
Hi guys,

I've mostly written the code change for this, but I want to do a serious amount of testing before it goes live due to the amount of code that has changed. One core change is that there is now a check in place that always runs to ensure that a value cannot be added or remove by someone not authorised too. This means even if there is leakage in some other part of the code, the user would be presented with an error instead of being able to add / remove something they cannot.

If they are trying to remove a field (as is the case with this bug), they will not be told what value they were trying to remove, as this is partner confidential.

Assuming all goes well, this change will be released on Monday.

  -- simon
Comment 10 Simon Green 2012-05-28 02:14:27 UTC 
This will be part of the next Red Hat Bugzilla release. Please report any problem you notice with the new code ASAP.

  -- simon
Comment 11 Simon Green 2012-05-29 06:31:01 UTC 
Red Hat Bugzilla 4.2.1-1.6 was released a few minutes ago.

  -- simon