Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Advanced search with no criteria returns every bug

2 views
Skip to first unread message

Peter Cunningham

unread,
Mar 6, 2008, 10:57:56 PM3/6/08
to support-...@lists.mozilla.org
All,

It seems that the default "advanced search" behavior when all criteria in
all search fields is blank/unselected, is that ALL bugs in ALL products are
displayed in the search results - even when the user has absolutely no
permissions to anything!

Bugzilla properly restricts the user's ability to enter new bugs and change
bugs.

I cannot find any parameter that might be relevant here. It feels sort of
like a loophole. Has anyone experienced anything similar?

Thanks!

Peter

Benton, Kevin

unread,
Mar 6, 2008, 11:09:58 PM3/6/08
to support-...@lists.mozilla.org
Patient: Doctor, it hurts when I do this.

Doctor: Well, then don't do that!

> _______________________________________________
> support-bugzilla mailing list
> support-...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/support-bugzilla
> PLEASE put support-...@lists.mozilla.org in the To:
> field when you reply.

Kevin Benton
MySQL DBA #5739
Senior Software Developer
CAD Global Infrastructure Flow Services
Advanced Micro Devices
2950 E Harmony Rd
Fort Collins, CO 80528

The opinions stated in this communication do not necessarily reflect
the view of Advanced Micro Devices and have not been reviewed by
management. This communication may contain sensitive and/or
confidential and/or proprietary information. Distribution of such
information is strictly prohibited without prior consent of Advanced
Micro Devices. This communication is for the intended recipient(s)
only. If you have received this communication in error, please notify
the sender, then destroy any remaining copies of this communication.


Benton, Kevin

unread,
Mar 6, 2008, 11:12:49 PM3/6/08
to Benton, Kevin, support-...@lists.mozilla.org
support-bugz...@lists.mozilla.org wrote:
> Patient: Doctor, it hurts when I do this.
>
> Doctor: Well, then don't do that!

All kidding aside,

>> It seems that the default "advanced search" behavior when all
>> criteria in
>> all search fields is blank/unselected, is that ALL bugs in
>> ALL products are
>> displayed in the search results - even when the user has
> absolutely no
>> permissions to anything!

If this has not already been filed, please file a bug on
http://bugzilla.mozilla.org/

Peter Cunningham

unread,
Mar 6, 2008, 11:21:59 PM3/6/08
to support-...@lists.mozilla.org
Aha, the perfect solution!!

Except that it's not..

First of all, there's no point in establishing group policies if there is an
easy way to circumvent it.

Second, and more importantly, we have created a user account for one of our
client contacts, to allow him to post bugs on a system that we are
implementing. But we also have internal company projects that we do not
wish him to have the ability to see, for obvious reasons.

Thanks,
Peter

Date: Thu, 6 Mar 2008 20:09:58 -0800

From: "Benton, Kevin" <kevin....@amd.com>

Subject: RE: Advanced search with no criteria returns every bug

To: <support-...@lists.mozilla.org>

Patient: Doctor, it hurts when I do this.

Doctor: Well, then don't do that!

_____

From: Peter Cunningham [mailto:pcunn...@winmill.com]
Sent: Thursday, March 06, 2008 10:58 PM
To: 'support-...@lists.mozilla.org'
Subject: Advanced search with no criteria returns every bug

All,

It seems that the default "advanced search" behavior when all criteria in
all search fields is blank/unselected, is that ALL bugs in ALL products are
displayed in the search results - even when the user has absolutely no
permissions to anything!

Bugzilla properly restricts the user's ability to enter new bugs and change

Max Kanat-Alexander

unread,
Mar 7, 2008, 1:23:23 AM3/7/08
to support-...@lists.mozilla.org
On Thu, 6 Mar 2008 22:57:56 -0500 "Peter Cunningham"
<pcunn...@winmill.com> wrote:
> It seems that the default "advanced search" behavior when all
> criteria in all search fields is blank/unselected, is that ALL bugs
> in ALL products are displayed in the search results - even when the
> user has absolutely no permissions to anything!

For you, or for that user? Remember that admins are in all
groups by default.

If you have actually restricted a bug to a group, it is
invisible in the search results if you are not in that group. So if you
can see a bug in the search results, that's a configuration error, not
a bug in Bugzilla.

-Max
--
http://www.everythingsolved.com/
Competent, Friendly Bugzilla and Perl Services. Everything Else, too.

Bill Barry

unread,
Mar 7, 2008, 12:25:44 PM3/7/08
to support-...@lists.mozilla.org
If this is true, then it is a regression, because it is not how my
installations work (all version 3.1.2+ = some trunk revision from a
couple months ago).

Peter Cunningham wrote:
> All,


>
>
>
> It seems that the default "advanced search" behavior when all criteria in
> all search fields is blank/unselected, is that ALL bugs in ALL products are
> displayed in the search results - even when the user has absolutely no
> permissions to anything!
>
>
>

> Bugzilla properly restricts the user's ability to enter new bugs and change
> bugs.
>
>
>
> I cannot find any parameter that might be relevant here. It feels sort of
> like a loophole. Has anyone experienced anything similar?
>
>
>
> Thanks!
>
> Peter
>

Peter Cunningham

unread,
Mar 7, 2008, 10:57:22 PM3/7/08
to support-...@lists.mozilla.org
Max,

> For you, or for that user? Remember that admins are in all
> groups by default.

For the user in question; the user who has been removed for all groups.

> If you have actually restricted a bug to a group, it is
> invisible in the search results if you are not in that group. So if you
> can see a bug in the search results, that's a configuration error, not
> a bug in Bugzilla.


For every bug entered, we checked the checkbox under "Only users in all of
the selected groups can view this bug - Users reporting or resolving bugs
for <Group Name>"

I have also described some of our additional settings in slightly more
detail below:


Group Security Settings
-----------------------
* makeproductgroups: on
* useentrygroupdefault: on
* chartgroup: editbugs
* insidergroup:
* timetrackinggroup: editbugs
* querysharegroup: editbugs
* usevisibilitygroups: off
* strict_isolation: on


Product Security Settings
-------------------------
(1) Every product has one associated Group. For the associated Group,
access controls are configured as follows:
* Entry: yes
* MemberControl: Default
* OtherControl: NA
* Canedit: yes
* editcomponents: yes
* canconfirm: yes
* editbugs: yes
(2) For all other Groups, product access controls are configured as follows:
* Entry: no
* MemberControl: NA
* OtherControl: NA
* Canedit: no
* editcomponents: no
* canconfirm: no
* editbugs: no


Thanks!
Peter

Max Kanat-Alexander

unread,
Mar 8, 2008, 2:13:46 AM3/8/08
to support-...@lists.mozilla.org
On Fri, 7 Mar 2008 22:57:22 -0500 "Peter Cunningham"
<pcunn...@winmill.com> wrote:
> For the user in question; the user who has been removed for all
> groups.

Okay. Are you sure there's not a regexp adding him to that
group?

Tosh, Michael J

unread,
Mar 11, 2008, 10:29:07 AM3/11/08
to Max Kanat-Alexander, support-...@lists.mozilla.org

>On Fri, 7 Mar 2008 22:57:22 -0500 "Peter Cunningham"
><pcunn...@winmill.com> wrote:
>> For the user in question; the user who has been removed for all
>> groups.

> Okay. Are you sure there's not a regexp adding him to that
> group?

> -- Max

Peter, You can check his group permissions if you impersonate him, then
go to preferences and permissions. There will be a list of group
memberships.

0 new messages