Group Name Guessing Disclosure Policy
Frédéric Buclin
lpsolit at gmail.com
Wed Jul 21 12:52:14 UTC 2010
Le 21. 07. 10 00:27, Max Kanat-Alexander a écrit :
> But I'm talking about a generic case--are you saying that I should
> iterate all products in the database and call groups_available on them
> just to know if a group name is visible?
A group name being visible depends on the context.
> How, by making the group icons not have a tooltip, thus making them
> rather hard to figure out?
You don't display the icon at all.
> How many customized installations have you worked with or read the code
> of? I can promise you that they will have no idea they need to do
> anything about this.
That's not your problem. And if methods are well documented, then this
would mitigate the risk a bit. Basically, you would have two main method
to use: $user->can_see_group(), and Bugzilla::Group->check().
> Because Wurblzap was saying that a generic $user->can_see_group would
> be easy, which it would not be.
I think it's easy too. For the cases you are thinking about, you don't
need any check at all.
LpSolit
More information about the developers
mailing list