Charts and Security

Gervase Markham gerv at
Sun May 16 22:42:22 UTC 2004


We have a small problem with the new charting system and security - in 
that it doesn't have any. Anyone with editbugs can view the charts, 
which leak the names of all products, even secure ones.

This is all basically due to me not implementing a solution quick 
enough, and you all being very efficient about the other pre-requisites 
for 2.18.

The names of the series are just text - i.e. there's no hard and fast 
link between them and the product names they happen to match. This is a 
feature, and probably a good one, but it makes automatic group 
management a little more tricky than otherwise.

There are currently two proposed solutions:

1) Add group controls to the charts

This means each series has a group, and we intelligently put the 
migrated ones in groups. The various corners have been discussed and we 
have an implementation strategy, but it's a bit of work. I'm happy to do 
it, and even prioritise it, but it would unavoidably take an amount of 
time to get a working, tested patch reviewed and checked in.

2) Use a single "magic name" group (like timetracking) to control access 
to the lot

This means we have a single group which controls access to the whole 
thing. It was proposed as a stopgap solution if the above is too complex 
to implement for 2.18. It's easier to do, but I'm concerned that a) it 
leaves a migration problem if we want to do 1) later, and b) it doesn't 
actually provide a workable solution for a lot of sites, leaving them no 
option but to disable chart access for most people. Which would be sad.

Views? Feel free to read the bugs to get expanded versions of the above 

Neeeed sleeeep....


More information about the developers mailing list