Group Name Guessing Disclosure Policy
Max Kanat-Alexander
mkanat at bugzilla.org
Tue Jul 20 02:55:13 UTC 2010
On 07/19/2010 05:21 PM, Gervase Markham wrote:
> If the API were to support group IDs rather than group names, would this
> problem be mitigated?
Well, I actually want the API to support group names instead of IDs. I
originally told you to use IDs because of the problem we're discussing
in this thread, but when actually implementing Bug.update and thinking
about how people would use it, I changed my mind.
Part of the reason to use names is that I want API calls to be portable
across Bugzillas with identically-named groups. Also, names are easy to
understand and see, and group IDs are meaningless. The error "You tried
to add the group 1 to this bug but it is not legal here" is really
unhelpful, as an example.
Also, the API doubles as the interface for email_in.pl (because of how
Bugzilla::Bug works), and I don't think we want to require inbound email
senders to know group ids.
-Max
--
http://www.everythingsolved.com/
Competent, Friendly Bugzilla and Perl Services. Everything Else, too.
More information about the developers
mailing list