The current code use bz xmlrpc function to get comments.  If the log in user is not in "private_comment" group, the returned result of bz xmlrpc call won't include private comments.  Therefore, the comment serial number will not match with the result of bz xmlrpc function calling from a user who is in "private_comment" group.

In bugzilla code, it simply gets all comments from db, then hide private comments if the user is not in "private_comment" group.  We can use the similar approach by using a dummy user who are in "private_comment" and use this user to call xmlrpc function to get all comments, then we hide the private comments if the real user is not in "private_comment" group.

I have worked out a patch to do so.  It will need
1. add a dummy user who is in "private_comment" and "redhat" group.  (I created one "hwcert-private-xmlrpc" on web2 and used it in my patch)
2. add the dummy user's user name and password in localhost file as following
$hwcert_private_user = 'hwcert-private-xmlrpc';
$hwcert_private_password = '';

Created attachment 549126 [details]
fix the mismatched comment number

Since the new patch need a private group account and it can bring some security issues without a comprehensive test, we move it to hybrid4.  Also, I have discussed it with reviewers and they are ok with the move.

make some changed on old patch and applied the new patch on web2.  The patch requires a dummy account which is in private_comment group, so if the user is not in "private_comment" group, the correct total comments number can still be returned by using the dummy account and the "private" comments will be properly hidden.  (it is pretty much the same approach as bz handles the comments serial number).

Created attachment 560459 [details]
bug fix patch

Comment on attachment 560459 [details]
bug fix patch

looks good

Comment on attachment 560459 [details]
bug fix patch

good to me

Is this patch applied anywhere?  Have we compared it to the BZ behavior?

verified on partner