Charts and Security
Gervase Markham
gerv at mozilla.org
Sun May 16 22:42:22 UTC 2004
Chaps,
We have a small problem with the new charting system and security - in
that it doesn't have any. Anyone with editbugs can view the charts,
which leak the names of all products, even secure ones.
This is all basically due to me not implementing a solution quick
enough, and you all being very efficient about the other pre-requisites
for 2.18.
The names of the series are just text - i.e. there's no hard and fast
link between them and the product names they happen to match. This is a
feature, and probably a good one, but it makes automatic group
management a little more tricky than otherwise.
There are currently two proposed solutions:
1) Add group controls to the charts
http://bugzilla.mozilla.org/show_bug.cgi?id=225687
This means each series has a group, and we intelligently put the
migrated ones in groups. The various corners have been discussed and we
have an implementation strategy, but it's a bit of work. I'm happy to do
it, and even prioritise it, but it would unavoidably take an amount of
time to get a working, tested patch reviewed and checked in.
2) Use a single "magic name" group (like timetracking) to control access
to the lot
http://bugzilla.mozilla.org/show_bug.cgi?id=243463
This means we have a single group which controls access to the whole
thing. It was proposed as a stopgap solution if the above is too complex
to implement for 2.18. It's easier to do, but I'm concerned that a) it
leaves a migration problem if we want to do 1) later, and b) it doesn't
actually provide a workable solution for a lot of sites, leaving them no
option but to disable chart access for most people. Which would be sad.
Views? Feel free to read the bugs to get expanded versions of the above
summary.
Neeeed sleeeep....
Gerv
More information about the developers
mailing list