Group Name Guessing Disclosure Policy
Max Kanat-Alexander
mkanat at bugzilla.org
Wed Jul 21 13:34:27 UTC 2010
On 07/21/2010 05:52 AM, Frédéric Buclin wrote:
> A group name being visible depends on the context.
Yeah, that's more or less what I was saying.
>> How, by making the group icons not have a tooltip, thus making them
>> rather hard to figure out?
>
> You don't display the icon at all.
I don't think that's a very good solution--it sounds like you're saying
that we should remove an entire feature just because some people might
mis-use it and expose some subset of information that some small number
of installations might consider confidential.
> That's not your problem. And if methods are well documented, then this
> would mitigate the risk a bit. Basically, you would have two main method
> to use: $user->can_see_group(), and Bugzilla::Group->check().
Mmm, what are you thinking of as the implementation for
$user->can_see_group?
-Max
--
http://www.everythingsolved.com/
Competent, Friendly Bugzilla and Perl Services. Everything Else, too.
More information about the developers
mailing list