Please advise on security

Steven Tierney steven_tierney at yahoo.co.uk
Wed Jun 6 07:04:57 UTC 2012 

Hi Marc,

Thanks for your quick reply.

I had a look at the links you suggested, thanks for them.

In my extension/Extension.pm file I try to get the logged in user and there is no problem, the logged in user & encrypted password can be found.

The problem I face is at the callback stage.  Eg. The user types 3 characters into the field and that triggers the Javascript to issue a callback to the web service. 

At the callback time I try to do the find (in my extension/lib/WebService.pm file) but the logged in user is undefined.  

I can't help thinking I'm missing something blindingly obvious!  Do I need to pass in credentials when calling the webservice, so that the user can first be logged in here then the details I need can be found?  That can be done but I don't want to be writing the user id and encrypted password to the page, or depending on a browser cookie.  

I don't know what the proper 'bugzilla' methodology/workflow of using the web service is.

Anyway I am rambling on!  If you could offer me further guidance it would be greatly appreciated.


Thanks,
---
Steven




On 5 June 2012 17:15, Marc Schumann <wurblzap at gmail.com> wrote:

Steven,
>
>use Bugzilla->user to find out whether the user is logged in (see http://www.bugzilla.org/docs/tip/en/html/api/Bugzilla.html).
>Check out http://www.bugzilla.org/docs/tip/en/html/api/Bugzilla/User.html, too -- there are some can_see_* methods which may be of use to you.
>
>Further reading is at http://www.bugzilla.org/docs/tip/en/html/api/.
>
>   Good luck
>      Marc
>
>
>
>2012/6/5 Steven Tierney <steven_tierney at yahoo.co.uk>
>
>Hi,
>>
>>I have developed a new extension for Bugzilla.  It uses the web service to access previously entered bug information in order to suggest autocomplete data for custom fields.  Using jQuery, it's fully configurable through Bugzilla web pages accessible from within the Administration area.
>>
>>There are security implications here because it will potentially expose bug data which might otherwise be secure.  For that reason I need advice on how to verify in the web service that
>>1. a user is logged in and,
>>2. is cleared to access bug data.
>>
>>I did check the Bugzilla source files but, not being very used to coding in Perl and not knowing how security 'works' in Bugzilla, I don't know where to start!
>>
>>I wonder if anyone can point me towards some documentation or give advice / code snippets that may help.
>>
>>The validation has to happen in the Webservice.pm file of the extension.
>>
>>
>>Thanks in advance!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.bugzilla.org/pipermail/developers/attachments/20120606/01c203c5/attachment.html>

More information about the developers mailing list