Closed Bug 210779 Opened 21 years ago Closed 21 years ago

Turning on "usebuggroups" leaves existing bugs readable by everyone (groupset=0)

Categories

(Bugzilla :: Administration, task)

Product:
Bugzilla
Component:
Administration
Platform:
x86
Linux
Type:
task
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 147275

People

(Reporter: dfaure, Assigned: justdave)

Details

User-Agent: Mozilla/5.0 (compatible; Konqueror/3.1; Linux) Build Identifier: Konqueror I turned on usebuggroups and usebuggroupsentry on an existing bugzilla setup, in order to have a modular bugzilla installation where customers can only see bugs related to their projects. I checked that every product had a matching group with the same name (I had to create a few). I created a new user, and made him part of *no* group at all. This user can still see a lot of bugs, by submitting the query page empty. Although the table in the query page shows no product at all, that user can still see many bugs from various products. The reason seems to be that the existing bugs still have a groupset field with a value of 0. I'm not sure what's the right fix, but what about setting the groupset of all bugs for a product, to the value of the group - when turning on those parameters, or maybe (also) when creating the missing group for a product? OK, now it sounds like a feature request, but if you only read what I did and the result I got, it really felt like a bug: a user with no permission at all, could run a query and see lots of bugs he wasn't allowed to see... Reproducible: Always Steps to Reproduce: 1. Create products, groups and bugs (they'll get groupset==0, right?). 2. Turn on usebuggroups and usebuggroupsentry 3. Create user, make him part of no group 4. Log in as that user, go to query page, submit as is Actual Results: That user could see all bugs. Expected Results: "What should Mozilla have done instead?" < this isn't about Mozilla, this is about Bugzilla. Your bug report website should be a bit more adaptative :) The user shouldn't see any bugs.
This is fixed already. Versions 2.17.3 and up allow you to place all existing bugs in the product into the group when you secure the product. In 2.16.3 the only way to do this is to run a query that matches all bugs in that product, then do the "change several bugs at once" and use that change form to add that group to all of those bugs. *** This bug has been marked as a duplicate of 147275 ***
Status: UNCONFIRMED → RESOLVED
Closed: 21 years ago
Resolution: --- → DUPLICATE
QA Contact: matty_is_a_geek → default-qa
You need to log in before you can comment on or make changes to this bug.