In general: I am happy to change Bugzilla settings, whatever is agreed on in the end.
On Wed, 2013-11-06 at 07:38 -0800, Rob Lanphier wrote:
On Wed, Nov 6, 2013 at 5:24 AM, MZMcBride z@mzmcbride.com wrote:
Our Bugzilla installation at https://bugs.wikimedia.org/ currently restricts the capabilities of new users as a knee-jerk response to prior Bugzilla-related vandalism. There are further details at https://bugzilla.wikimedia.org/40497.
As I recall, Mark Hershberger and Ariel Glenn were the ones that dealt with most of the aftermath of the attacks that we received that ultimately led to it being turned off. It was not a knee jerk response. We temporarily turned it off and turned it back on a few days later, only to have dozens (hundreds?) of bugs altered in a way that was not easily reversed.
Bugzilla does not allow centrally reverting all actions by a specific person: https://bugzilla.mozilla.org/show_bug.cgi?id=735213
In consulting with the Bugzilla developers (I believe I may have sent a public mail about this to their list), their answer was essentially that Bugzilla was never designed for giving editbugs to untrusted users, and that by doing so, we had what was coming to us.
[...]
We can certainly do something different than what we're doing, though. It should be easy to get editbugs; just not so easy that a vandal can get it.
Anyone have any ideas how to mitigate the vandalism problem?
Refering to the recent problem in Wikimedia Bugzilla, setting the assignee field is only possible when having "editbugs" permissions. There are no permissions which are more fine-grained and I could not find a request upstream asking for a specific "be able to change the assignee without editbugs permissions" request (plus docs suck anyway, see https://bugzilla.mozilla.org/show_bug.cgi?id=481859 ).
I have no good spontaneous idea how to solve this problem. My guess is hacking the code as described in http://www.bugzilla.org/docs/4.4/en/html/cust-change-permissions.html I've asked on the upstream mailing list: https://groups.google.com/forum/#!topic/mozilla.support.bugzilla/6GCB7ufa7nc
The wider picture regarding vandalism: Related unresolved upstream bugs refering to blocking IPs: https://bugzilla.mozilla.org/show_bug.cgi?id=904698 https://bugzilla.mozilla.org/show_bug.cgi?id=536110 Mozilla Bugzilla had a spam problem a few days ago, and they ended up temporarily disabling account creation for specific domains *manually*, instead of trying to fix it properly in https://bugzilla.mozilla.org/show_bug.cgi?id=467763
andre