| Title | New Bugzilla permissions rules not followed | 
| Status | closed | 
| Priority | essential | 
| Assigned user | Nick Barnes | 
| Organization | Ravenbrook | 
| Description | Bugzilla 2.17.x and 2.18.x have new rules for deciding whether a given user may make a particular change to a particular bug. The P4DTI must enforce the same rules as the version of Bugzilla with which it is running. | 
| Analysis | The rules are enforced in Bugzilla by a routine called CheckCanChangeField().   There are other restrictions enforced by other code. In particular, the groups system enforces restrictions on who can create, edit, or even see any given bug.  In Bugzilla 2.16.5, the routine enforces these rules in this order: - anyone can make a null change; - anyone can add a comment; - anyone in the editbugs group can make any change; - the reporter can make any change to the status; - anyone in the canconfirm group can change the status to any opened state (NEW, REOPENED, ASSIGNED). - anyone can change the status to any opened state if the everconfirmed flag is set; - the owner, QA contact, or reporter can make any change *except* changing the status to an opened state; - No other changes are permitted. Note that these rules combine to allow the reporter to make any change to the bug. In Bugzilla 2.17.7, the routine enforces these rules in this order; - anyone can make a null change; - anyone can add a comment; - anyone in the editbugs group can make any change; - anyone in the canconform group can change the status from UNCONFIRMED to any opened state; - the owner or QA contact can make any change; - the reporter can make any change *except*: - changing the status from UNCONFIRMED to any opened state; or - changing the target milestone; or - changing the priority (unless the letsubmitterchoosepriority parameter is set). - No other changes are permitted. The effective differences between these rules are as follows: 1. In 2.16.5, the reporter could always change anything about a bug. In 2.17.7, the reporter can't: - confirm the bug unless he is in the canconfirm group; - change the target milestone; - change the priority (unless the 'letsubmitterchoosepriority' parameter is set. (unless he is also the owner, the QA contact, or in the editbugs group, in which case he can do all these things). 2. In 2.16.5, the owner or QA contact (if the 'useqacontact' parameter is set) can't change the bug status to an opened status unless they are also the reporter, or have editbugs or canconfirm, or the everconfirmed flag is set on the bug). In 2.17.7 the owner or QA contact can make any change to a bug. 3. In 2.16.5, a member of the canconfirm group can set the status to any opened status. In 2.17.7 this is only possible if the status was previously the unconfirmed status. 4. In 2.16.5, the status can be set to anything by anybody if the 'everconfirmed' flag is set. In 2.17.7, this routine does not pay any attention to the 'everconfirmed' flag. | 
| How found | inspection | 
| Evidence | See CheckCanChangeField() in process_bug.cgi in Bugzilla 2.16.x and 2.17.x. | 
| Observed in | 2.1.2 | 
| Introduced in | 2.1.2 | 
| Created by | Nick Barnes | 
| Created on | 2004-06-24 13:09:57 | 
| Last modified by | Nick Barnes | 
| Last modified on | 2004-07-16 13:57:17 | 
| History | 2004-06-24 NB Created. | 
| Change | Effect | Date | User | Description | 
|---|---|---|---|---|
| 97171 | closed | 2004-05-28 16:43:43 | Nick Barnes | Bugzilla 2.17.7 support: bugmail.pl replacement for processmail. Bugzilla 2.17.5 database schema changes (especially new groups system, new product and component IDs, group_control_map controls); Cache results of some database queries to speed operation with new or old schemas; Changed bug change permission rules; Clean up better when deleting a bug; Correct values in bugs_activity entries when changing user columns. |