API: Group write support

Gervase Markham gerv at mozilla.org
Wed Oct 14 08:41:59 UTC 2009

I have a problem with the API implementation that I hope you can help me 
with :-) It relates to supporting groups - specifically, changing the 
groups on a bug. (The API already supports reading group names.)

The issue is that group names are confidential to those who cannot see 
those groups. Therefore, the URL interface on process_bug.cgi for 
changing groups involves the group IDs rather than the group names. 
However, the XML bug representation returns only group names rather than 

Therefore, as things are now, if an API user attempts to change the 
groups of a bug, they would be sending back a list of group names. 
However, the API software cannot translate these into group IDs without 
knowledge of that mapping, which it doesn't currently have. This 
information is available in the RDF output of config.cgi.

So it looks like one has to do one of the following:

1) Make, and cache the results of, a request to config.cgi for each API 
user (login), and use that information to convert names into numbers. 
This would decrease performance and increase memory requirements.

2) Have the API configuration give a superuser username and password for 
the Bugzilla. Make a single request for config.cgi using that username 
and password, and expect it to contain all groups. Use this for all 
conversions. This should be safe, as you are converting from names to 
numbers only, not the other way. Bugzilla will reject the setting of 
groups the user isn't allowed to set anyway. This requires the API 
machine to have privileged access to Bugzilla, which is unfortunate.

3) Switch the XML to also produce group IDs; change the representation 
of a group on the API from a single string to a "Group" object 
containing name, ID and possibly description, with the ID being 
canonical. This is an increase in interface complexity.

I'm leaning towards 3). What do you guys think?

dev-apps-bugzilla mailing list
dev-apps-bugzilla at lists.mozilla.org

More information about the developers mailing list