When a bug is marked private and the user does not have permission to see it, then at a minimum display the release notes field along with the standard access denied error message. Noura, is this something that is expected and preferred by the ones who originally requested the new cf_release_notes field? Thanks Dave
Created attachment 306982 [details] Patch to display release notes publicly for private bugs (v1) Attaching patch to display the cf_release_notes publicly for private bugs. This is specific to the cf_release_notes field which will get us something working quickly. But ideally something we should look into doing possibly is either do this as an proper Red Hat extension or add a new boolean column to the fielddefs table maybe called 'public'. And then just display all fields marked as public when a bug is inaccessible. The public flag could be set through the editfields.cgi interface. Thoughts? Review? Dave
Comment on attachment 306982 [details] Patch to display release notes publicly for private bugs (v1) Hi Dave, The patch looks good and work as expected. I think making the fields optional to be public for private bugs is a good idea. Thanks, Noura
Created attachment 307137 [details] Patch to display public fields for private bugs (v1) Here is a patch that actually adds a new public flag to any custom field. This will allow a field to be displayed when a bug is private and the user cannot see it. This is a better solution as it allows more than single field to be displayed and also is managed through the web UI. I have this installed on bz-web2-test.devel.redhat.com if you want to try it. For example just log out and go to bug 9661 and you will see a couple of public fields displayed. When logged in, I also put a (Public) designation next to public fields so people will know not to put confidential information in them. Please review Thanks Dave
Comment on attachment 307137 [details] Patch to display public fields for private bugs (v1) Hi Dave, The patch looks very pretty :). I talked to Mike about making the release notes field public and he likes the idea, one thing we discussed was that if the bug is a security sensitive bug then no info at all should be displayed, I think it is a pretty good idea if we can make it a general rule that public fields should not even be displayed at all if a bug is a security sensitive bug so maybe in you patch we can do this little change as the following: >Index: Bugzilla/Bug.pm >=================================================================== > >+ >+ # REDHAT EXTENSION START 448774 >+ my $bug = Bugzilla::Bug->new($id); >+ my @public_data; >+ my $public_fields = Bugzilla::Field->match({custom => 1, obsolete => 0, public => 1}); >+ foreach my $field (@$public_fields) { >+ if ($bug->{$field->name}) { >+ $field->{'value'} = $bug->{$field->name}; >+ push(@public_data, $field); >+ } >+ } >+ > if ($user->id) { >- ThrowUserError("bug_access_denied", {'bug_id' => $id}); >+ ThrowUserError("bug_access_denied", >+ {'bug_id' => $id, >+ 'public_data' => \@public_data}); > } else { >- ThrowUserError("bug_access_query", {'bug_id' => $id}); >+ ThrowUserError("bug_access_query", >+ {'bug_id' => $id, >+ 'public_data' => \@public_data}); > } >+ # REDHAT EXTENSION END 448774 > } # REDHAT EXTENSION START 448774 my $bug = Bugzilla::Bug->new($id); my @public_data; my $public_fields = Bugzilla::Field->match({custom => 1, obsolete => 0, public => 1}); foreach my $field (@$public_fields) { if ($bug->{$field->name}) { $field->{'value'} = $bug->{$field->name}; push(@public_data, $field); } } foreach my $bug_group (@{$bug->groups_in}) { if ($bug_group->name eq 'security') { if ($user->id) { ThrowUserError("bug_access_denied", {'bug_id' => $id}); } else { ThrowUserError("bug_access_query", {'bug_id' => $id}); } } } if ($user->id) { ThrowUserError("bug_access_denied", {'bug_id' => $id, 'public_data' => \@public_data}); } else { ThrowUserError("bug_access_query", {'bug_id' => $id, 'public_data' => \@public_data}); } # REDHAT EXTENSION END 448774 what do you think? or we can just make it specific to the release notes field. Thanks, Noura
Created attachment 307159 [details] Patch to display public fields for private bugs (v2) Thanks Noura. I made it that all public fields are not visible if the security group is on. We can further discuss whether some fields are safe even when the bug is security sensitive but we will be cautious and do them all for now. I created a new v2 patch that uses your suggestion. Please review Thanks Dave
Comment on attachment 307159 [details] Patch to display public fields for private bugs (v2) Looks good to me Dave, tested it and it works nicely. Thanks, Noura
Checked into CVS. Dave
This change is now on partner-bugzilla.redhat.com and will be in the final release.