Please advise on security

Ali Ustek aliustek at gmail.com
Wed Jun 6 07:14:35 UTC 2012


Steven,

Bugzilla->user object can be used to find the details of the user in the
current session, just check the objects methods
Regards,
Rojanu
On Jun 6, 2012 8:05 AM, "Steven Tierney" <steven_tierney at yahoo.co.uk> wrote:

> Hi Marc,
>
> Thanks for your quick reply.
>
> I had a look at the links you suggested, thanks for them.
>
> In my extension/Extension.pm file I try to get the logged in user and
> there is no problem, the logged in user & encrypted password can be found.
>
> The problem I face is at the callback stage.  Eg. The user types 3
> characters into the field and that triggers the Javascript to issue a
> callback to the web service.
>
> At the callback time I try to do the find (in my
> extension/lib/WebService.pm file) but the logged in user is undefined.
>
> I can't help thinking I'm missing something blindingly obvious!  Do I need
> to pass in credentials when calling the webservice, so that the user can
> first be logged in here then the details I need can be found?  That can be
> done but I don't want to be writing the user id and encrypted password to
> the page, or depending on a browser cookie.
>
> I don't know what the proper 'bugzilla' methodology/workflow of using the
> web service is.
>
> Anyway I am rambling on!  If you could offer me further guidance it would
> be greatly appreciated.
>
>
> Thanks,
> ---
> Steven
>
>
>
> On 5 June 2012 17:15, Marc Schumann <wurblzap at gmail.com> wrote:
>
>> Steven,
>>
>> use Bugzilla->user to find out whether the user is logged in (see
>> http://www.bugzilla.org/docs/**tip/en/html/api/Bugzilla.html<http://www.bugzilla.org/docs/tip/en/html/api/Bugzilla.html>
>> )**.
>> Check out http://www.bugzilla.org/docs/**tip/en/html/api/Bugzilla/User.**
>> html <http://www.bugzilla.org/docs/tip/en/html/api/Bugzilla/User.html>,
>> too -- there are some can_see_* methods which may be of use to you.
>>
>> Further reading is at http://www.bugzilla.org/docs/**tip/en/html/api/<http://www.bugzilla.org/docs/tip/en/html/api/>
>> .
>>
>>    Good luck
>>       Marc
>>
>>
>> 2012/6/5 Steven Tierney <steven_tierney at yahoo.co.uk>
>>
>>> Hi,
>>>
>>> I have developed a new extension for Bugzilla.  It uses the web service
>>> to access previously entered bug information in order to suggest
>>> autocomplete data for custom fields.  Using jQuery, it's fully configurable
>>> through Bugzilla web pages accessible from within the Administration area.
>>>
>>> There are security implications here because it will potentially expose
>>> bug data which might otherwise be secure.  For that reason I need advice on
>>> how to verify in the web service that
>>> 1. a user is logged in and,
>>> 2. is cleared to access bug data.
>>>
>>> I did check the Bugzilla source files but, not being very used to coding
>>> in Perl and not knowing how security 'works' in Bugzilla, I don't know
>>> where to start!
>>>
>>> I wonder if anyone can point me towards some documentation or give
>>> advice / code snippets that may help.
>>>
>>> The validation has to happen in the Webservice.pm file of the extension.
>>>
>>>
>>> Thanks in advance!
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.bugzilla.org/pipermail/developers/attachments/20120606/0f461aff/attachment.html>


More information about the developers mailing list