Group Name Guessing Disclosure Policy

Frédéric Buclin lpsolit at gmail.com
Wed Jul 21 12:52:14 UTC 2010


Le 21. 07. 10 00:27, Max Kanat-Alexander a écrit :
> 	But I'm talking about a generic case--are you saying that I should
> iterate all products in the database and call groups_available on them
> just to know if a group name is visible?

A group name being visible depends on the context.


> 	How, by making the group icons not have a tooltip, thus making them
> rather hard to figure out?

You don't display the icon at all.


> 	How many customized installations have you worked with or read the code
> of? I can promise you that they will have no idea they need to do
> anything about this.

That's not your problem. And if methods are well documented, then this
would mitigate the risk a bit. Basically, you would have two main method
to use: $user->can_see_group(), and Bugzilla::Group->check().


> 	Because Wurblzap was saying that a generic $user->can_see_group would
> be easy, which it would not be.

I think it's easy too. For the cases you are thinking about, you don't
need any check at all.


LpSolit



More information about the developers mailing list