Support optional client-side Bugzilla authentication to allow displaying non-public bugs? #54
Comments
|
I don't think this information is available without authenticating. |
|
Yeah...but well it doesn't request details for all hidden bug IDs but only those that are somehow linked to me ;) |
|
It doesn't matter for whom the bugs are, non open bugs still require authentication to view, so there is no way we can do this unless we switch to logging in via bugzilla-todos. |
|
But bugzilla-todo does know these bugs contain actionable items for the current user (just not in which category they should do.) |
Proof/example? :-) |
|
(Watch the webconsole when loading Bugzilla-todos for the BzAPI calls that are made - none of those should return hidden bugs, since they are unauthenticated. Note they are all bug searches - there isn't a generic "show me my requests" API endpoint) |
But they do :D |
|
I just tried bugzilla-todos for your bugzilla username - and I do see that. However those bug numbers are only queried as part of the "is bug foo blocked by bug bar, in which case should we hide it from the to-fix list" feature. ie, the bzapi query: So all Bugzilla-todos would be able to tell you is that "for public bug X to which you are assigned, bug Y on which it depends is non-public (but we don't know its summary, status/resolution, or what flags are set inside it)", rather than "show me all bugs that require my action, even if they are non-public" (which is what I understand by comment 0 in this issue - do say if you're asking for something else). Any other behaviour would be a breach of the Bugzilla security model, and as such something that should be filed and fixed. As such, if we wish to make Bugzilla-todos support non-public bugs, it needs to support authentication - not necessarily a bad thing (we could enforce that Bugzilla-todos was accessed via https and do this client side, but we'd presumably want security review etc first). |
|
That said, we should catch the HTTP 400 on the "check dependant bugs" call, rather than throw. I'd imagine it makes most sense to ignore non-public bugs in the determination as to whether a bug is ready to be fixed or not (I'd rather false negatives than false positives for exclusion). |
|
Thanks for the clarification! |
|
Given that #55 will prevent the thrown exception - seems like it's now best to morph the summary of this issue to something like "Support optional client-side Bugzilla authentication to allow displaying non-public bugs" - does that sound about right to you? |
|
sure |
|
@harthur - could you modify the summary of this issue to that two comments up, since we don't have permissions? Thanks :-) |
|
I can too :D |
mozfreddyb
changed the title
|
Issue "HTTP 400 for non-public bugs" renamed to "Support optional client-side Bugzilla authentication to allow displaying non-public bugs?" |
I don't know much info the API gives out, but if a non-public bug is known to be awaiting my action, it would be nice if the bug number would at least be shown. Even if other data is missing.
I think this might go in all the bugs.forEach() calls (in user.js) but wasn't sure where this makes most sense for you, so I didn't take a stab at it.
The text was updated successfully, but these errors were encountered: