Closed
Bug 1484892
Opened 6 years ago
Closed 6 years ago
Modify EditComments extension to let anyone use it conditionally and support inline editing
Categories
(bugzilla.mozilla.org :: Extensions, enhancement)
Tracking
()
RESOLVED
FIXED
People
(Reporter: kohei, Unassigned)
References
Details
Attachments
(2 files)
In Bug 1484477 Comment 6, :dylan mentioned that the extension allows you to edit anyone’s comment. Currently It’s fine because only admins have the privilege, but it’s gonna be a problem if we allow all editbugs members to edit comments.
Regular users should only be allowed to edit their own posted comments, while admins should be able to edit anyone’s comment with no configuration.
|
Reporter | |
Updated•6 years ago
|
Assignee: nobody → kohei.yoshino
Status: NEW → ASSIGNED
|
|
Reporter | |
Comment 1•6 years ago
|
||
Are there any cases admins have deleted sensitive information by editing comments? The editcomments.html page has a group membership validation probably for that purpose, so currently only admins can view history:
https://github.com/mozilla-bteam/bmo/blob/master/extensions/EditComments/Extension.pm#L73-L79
For transparency, comment edit history should be visible to anyone just like Facebook or GitHub. Probably admins should be able to delete/hide a specific revision?
See also: https://help.github.com/articles/tracking-changes-in-a-comment/
Flags: needinfo?(dylan)
|
|
Reporter | |
Comment 2•6 years ago
|
||
|
|
Reporter | |
Comment 3•6 years ago
|
||
(In reply to Kohei Yoshino [:kohei] from comment #2)
> WIP: https://github.com/kyoshino/bmo/compare/bug-1484892-editcomments-priv
Updated to allow admins to hide specific revisions if needed. All existing revisions will also be hidden by default, in case any of these contains sensitive info.
|
||
Comment 4•6 years ago
|
||
(In reply to Kohei Yoshino [:kohei] from comment #1)
> Are there any cases admins have deleted sensitive information by editing
> comments? The editcomments.html page has a group membership validation
> probably for that purpose, so currently only admins can view history:
Yes we have done that many times. Passwords, API keys, etc. are removed from comments. We would want the certain history items to be invisible for that reason.
dkl
|
|
Reporter | |
Comment 5•6 years ago
|
||
Okay, then per-revision visibility control is certainly needed. Here are screenshots of how it will look like:
Admin: https://screenshots.firefox.com/K2QZYsVlfwvc5haS/bmo-web.vm
Non-admin: https://screenshots.firefox.com/kPFKrKKs78X7ek6F/bmo-web.vm
Flags: needinfo?(dylan)
|
|
||
Comment 6•6 years ago
|
||
(In reply to Kohei Yoshino [:kohei] from comment #5)
> Okay, then per-revision visibility control is certainly needed. Here are
> screenshots of how it will look like:
>
> Admin: https://screenshots.firefox.com/K2QZYsVlfwvc5haS/bmo-web.vm
> Non-admin: https://screenshots.firefox.com/kPFKrKKs78X7ek6F/bmo-web.vm
Looks good to me. I would just implement it the same way we do private comments and only allow those in the insider comments group to see the private revision. What we could do is, when editing a current comment, if the user is an insider, display another checkbox above the textarea called "Hidden" or "Hide Revision" or something similar.
dkl
|
|
||
Comment 7•6 years ago
|
||
The users in the insiders group are already privileged enough to see the hidden comment changes so there is no need to just limit to admins only.
|
|
Reporter | |
Comment 8•6 years ago
|
||
My current implementation is adding a new group:
* (existing) edit_comments_group; default: admin
* (new) edit_own_comments_group bit; default: editbugs
But yeah, $user->is_insider should be able to edit any comments.
* (existing) insidergroup; default: admins and others?
* (existing) edit_comments_group; default: editbugs
Actually my initial implementation was like that. Will update again and send a PR.
|
|
Reporter | |
Comment 9•6 years ago
|
||
Added "Hide This Revision" checkbox above the textarea: https://screenshots.firefox.com/E57oyLFaDxQNisS9/bmo-web.vm
|
|
Reporter | |
Updated•6 years ago
|
Summary: Allow non-admin users to only edit their own comments → Modify EditComments extension to allow anyone to use it conditionally
|
|
Reporter | |
Updated•6 years ago
|
Summary: Modify EditComments extension to allow anyone to use it conditionally → Modify EditComments extension to let anyone use it conditionally and support inline editing
|
|
Reporter | |
Comment 10•6 years ago
|
||
Yes, inline editing... https://screenshots.firefox.com/WqC5RhA0S1KQmNyA/bmo-web.vm
|
||
Comment 11•6 years ago
|
||
Kate, do you see any issues here with how we're allowing edits on bugs?
Flags: needinfo?(kmancuso)
| Comment hidden (obsolete) |
|
|
Reporter | |
Comment 14•6 years ago
|
||
Ugh, sorry, this was the implementation bug. Redirecting folks to admin Bug 1484477...
Flags: needinfo?(kmancuso)
Flags: needinfo?(cneiman)
|
|
Reporter | |
Comment 15•6 years ago
|
||
|
|
Reporter | |
Comment 16•6 years ago
|
||
| Comment hidden (obsolete) |
|
|
Reporter | |
Updated•6 years ago
|
Status: ASSIGNED → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
|
||
Comment 18•6 years ago
|
||
Only the schema is going out first, we'll resolve this when the main code lands.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
|
|
Reporter | |
Comment 19•6 years ago
|
||
Merged to master, again \o/
Status: REOPENED → RESOLVED
Closed: 6 years ago → 6 years ago
Resolution: --- → FIXED
|
|
Reporter | |
Updated•6 years ago
|
|
||
Updated•5 years ago
|
Assignee: kohei.yoshino → nobody
Component: Extensions: EditComments → Extensions
You need to log in
before you can comment on or make changes to this bug.
Description
•