API: Group write support
gerv at mozilla.org
Wed Oct 14 08:41:59 UTC 2009
I have a problem with the API implementation that I hope you can help me
with :-) It relates to supporting groups - specifically, changing the
groups on a bug. (The API already supports reading group names.)
The issue is that group names are confidential to those who cannot see
those groups. Therefore, the URL interface on process_bug.cgi for
changing groups involves the group IDs rather than the group names.
However, the XML bug representation returns only group names rather than
Therefore, as things are now, if an API user attempts to change the
groups of a bug, they would be sending back a list of group names.
However, the API software cannot translate these into group IDs without
knowledge of that mapping, which it doesn't currently have. This
information is available in the RDF output of config.cgi.
So it looks like one has to do one of the following:
1) Make, and cache the results of, a request to config.cgi for each API
user (login), and use that information to convert names into numbers.
This would decrease performance and increase memory requirements.
2) Have the API configuration give a superuser username and password for
the Bugzilla. Make a single request for config.cgi using that username
and password, and expect it to contain all groups. Use this for all
conversions. This should be safe, as you are converting from names to
numbers only, not the other way. Bugzilla will reject the setting of
groups the user isn't allowed to set anyway. This requires the API
machine to have privileged access to Bugzilla, which is unfortunate.
3) Switch the XML to also produce group IDs; change the representation
of a group on the API from a single string to a "Group" object
containing name, ID and possibly description, with the ID being
canonical. This is an increase in interface complexity.
I'm leaning towards 3). What do you guys think?
dev-apps-bugzilla mailing list
dev-apps-bugzilla at lists.mozilla.org
More information about the developers