Bug 448774 - Display release notes field when bug is inaccessible
Display release notes field when bug is inaccessible
Status: CLOSED NEXTRELEASE
Product: Bugzilla
Classification: Community
Component: User Interface (Show other bugs)
3.2
All Linux
low Severity low (vote)
: ---
: ---
Assigned To: PnT DevOps Devs
:
Depends On:
Blocks: RHBZ30UpgradeTracker
  Show dependency treegraph
 
Reported: 2008-05-28 14:29 EDT by David Lawrence
Modified: 2013-06-23 22:17 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-07-01 22:26:30 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Patch to display release notes publicly for private bugs (v1) (2.87 KB, patch)
2008-05-28 16:24 EDT, David Lawrence
nelhawar: review+
dkl: review? (kbaker)
Details | Diff
Patch to display public fields for private bugs (v1) (10.26 KB, patch)
2008-05-29 16:53 EDT, David Lawrence
no flags Details | Diff
Patch to display public fields for private bugs (v2) (10.43 KB, patch)
2008-05-30 00:11 EDT, David Lawrence
nelhawar: review+
dkl: review? (kbaker)
Details | Diff

  None (edit)
Description David Lawrence 2008-05-28 14:29:33 EDT
When a bug is marked private and the user does not have permission to see it,
then at a minimum display the release notes field along with the standard access
denied error message.

Noura, is this something that is expected and preferred by the ones who
originally requested the new cf_release_notes field?

Thanks
Dave
Comment 1 David Lawrence 2008-05-28 16:24:02 EDT
Created attachment 306982 [details]
Patch to display release notes publicly for private bugs (v1)

Attaching patch to display the cf_release_notes publicly for private bugs.
This is specific to the cf_release_notes field which will get us something
working quickly. 

But ideally something we should look into doing possibly is either do this as
an proper Red Hat extension or add a new boolean column to the fielddefs table
maybe called 'public'. And then just display all fields marked as public when a
bug is inaccessible. The public flag could be set through the editfields.cgi
interface.

Thoughts? Review?
Dave
Comment 2 Noura El hawary 2008-05-28 23:51:35 EDT
Comment on attachment 306982 [details]
Patch to display release notes publicly for private bugs (v1)

Hi Dave,

The patch looks good and work as expected. I think making the fields optional
to be public for private bugs is a good idea. 

Thanks,
Noura
Comment 3 David Lawrence 2008-05-29 16:53:35 EDT
Created attachment 307137 [details]
Patch to display public fields for private bugs (v1)

Here is a patch that actually adds a new public flag to any custom field. This
will allow a field to be displayed when a bug is private and the user cannot
see it. This is a better solution as it allows more than single field to be
displayed and also is managed through the web UI.

I have this installed on bz-web2-test.devel.redhat.com if you want to try it.
For example just log out and go to bug 9661 and you will see a couple of public
fields displayed.

When logged in, I also put a (Public) designation next to public fields so
people will know not to put confidential information in them.

Please review
Thanks
Dave
Comment 4 Noura El hawary 2008-05-29 22:08:45 EDT
Comment on attachment 307137 [details]
Patch to display public fields for private bugs (v1)

Hi Dave,

The patch looks very pretty :). I talked to Mike about making the release notes
field public and he likes the idea, one thing we discussed was that if the bug
is a security sensitive bug then no info at all should be displayed, I think it
is a pretty good idea if we can make it a general rule that public fields
should not even be displayed at all if a bug is a security sensitive bug so
maybe in you patch we can do this little change as the following:



>Index: Bugzilla/Bug.pm
>===================================================================
>
>+    
>+    # REDHAT EXTENSION START 448774
>+    my $bug = Bugzilla::Bug->new($id);
>+    my @public_data;
>+    my $public_fields = Bugzilla::Field->match({custom => 1, obsolete => 0, public => 1});
>+    foreach my $field (@$public_fields) {
>+        if ($bug->{$field->name}) {
>+            $field->{'value'} = $bug->{$field->name};
>+            push(@public_data, $field);
>+        }
>+    }
>+
>     if ($user->id) {
>-        ThrowUserError("bug_access_denied", {'bug_id' => $id});
>+        ThrowUserError("bug_access_denied", 
>+            {'bug_id'      => $id, 
>+             'public_data' => \@public_data});
>     } else {
>-        ThrowUserError("bug_access_query", {'bug_id' => $id});
>+        ThrowUserError("bug_access_query", 
>+            {'bug_id'      => $id, 
>+             'public_data' => \@public_data});
>     }
>+    # REDHAT EXTENSION END 448774
> }


    # REDHAT EXTENSION START 448774
    my $bug = Bugzilla::Bug->new($id);
    my @public_data;
    my $public_fields = Bugzilla::Field->match({custom => 1, obsolete => 0,
public => 1});
    foreach my $field (@$public_fields) {
	if ($bug->{$field->name}) {
	    $field->{'value'} = $bug->{$field->name};
	    push(@public_data, $field);
	}
    }

    foreach my $bug_group (@{$bug->groups_in}) {
	if ($bug_group->name eq 'security') {
	    if ($user->id) {
		ThrowUserError("bug_access_denied", {'bug_id' => $id});
	    }
	    else {
		ThrowUserError("bug_access_query", {'bug_id' => $id});
	    }
	}
    }

    if ($user->id) {
	ThrowUserError("bug_access_denied",
	    {'bug_id'	   => $id,
	     'public_data' => \@public_data});
    } else {
	ThrowUserError("bug_access_query",
	    {'bug_id'	   => $id,
	     'public_data' => \@public_data});
    }
    # REDHAT EXTENSION END 448774


what do you think? or we can just make it specific to the release notes field. 

Thanks,
Noura
Comment 5 David Lawrence 2008-05-30 00:11:09 EDT
Created attachment 307159 [details]
Patch to display public fields for private bugs (v2)

Thanks Noura. I made it that all public fields are not visible if the security
group is on. We can further discuss whether some fields are safe even when the
bug is security sensitive but we will be cautious and do them all for now. I
created a new v2 patch that uses your suggestion. 

Please review
Thanks
Dave
Comment 6 Noura El hawary 2008-06-02 00:57:16 EDT
Comment on attachment 307159 [details]
Patch to display public fields for private bugs (v2)

Looks good to me Dave, tested it and it works nicely.

Thanks,
Noura
Comment 7 David Lawrence 2008-06-17 18:03:48 EDT
Checked into CVS.

Dave
Comment 8 David Lawrence 2008-07-01 22:26:30 EDT
This change is now on partner-bugzilla.redhat.com and will be in the final release.

Note You need to log in before you can comment on or make changes to this bug.