In general: I am happy to change Bugzilla settings, whatever is agreed
on in the end.
On Wed, 2013-11-06 at 07:38 -0800, Rob Lanphier wrote:
On Wed, Nov 6, 2013 at 5:24 AM, MZMcBride
<z(a)mzmcbride.com> wrote:
Our Bugzilla installation at
<https://bugs.wikimedia.org/> currently
restricts the capabilities of new users as a knee-jerk response to prior
Bugzilla-related vandalism. There are further details at
<https://bugzilla.wikimedia.org/40497>.
As I recall, Mark Hershberger and Ariel Glenn were the ones that dealt with
most of the aftermath of the attacks that we received that ultimately led
to it being turned off. It was not a knee jerk response. We temporarily
turned it off and turned it back on a few days later, only to have dozens
(hundreds?) of bugs altered in a way that was not easily reversed.
Bugzilla does not allow centrally reverting all actions by a specific
person:
https://bugzilla.mozilla.org/show_bug.cgi?id=735213
In consulting with the Bugzilla developers (I believe
I may have sent a
public mail about this to their list), their answer was essentially that
Bugzilla was never designed for giving editbugs to untrusted users, and
that by doing so, we had what was coming to us.
[...]
We can certainly do something different than what
we're doing, though. It
should be easy to get editbugs; just not so easy that a vandal can get it.
Anyone have any ideas how to mitigate the vandalism problem?
Refering to the recent problem in Wikimedia Bugzilla, setting the
assignee field is only possible when having "editbugs" permissions.
There are no permissions which are more fine-grained and I could not
find a request upstream asking for a specific "be able to change the
assignee without editbugs permissions" request (plus docs suck anyway,
see
https://bugzilla.mozilla.org/show_bug.cgi?id=481859 ).
I have no good spontaneous idea how to solve this problem.
My guess is hacking the code as described in
http://www.bugzilla.org/docs/4.4/en/html/cust-change-permissions.html
I've asked on the upstream mailing list:
https://groups.google.com/forum/#!topic/mozilla.support.bugzilla/6GCB7ufa7nc
The wider picture regarding vandalism:
Related unresolved upstream bugs refering to blocking IPs:
https://bugzilla.mozilla.org/show_bug.cgi?id=904698
https://bugzilla.mozilla.org/show_bug.cgi?id=536110
Mozilla Bugzilla had a spam problem a few days ago, and they ended up
temporarily disabling account creation for specific domains *manually*,
instead of trying to fix it properly in
https://bugzilla.mozilla.org/show_bug.cgi?id=467763
andre
--
Andre Klapper | Wikimedia Bugwrangler
http://blogs.gnome.org/aklapper/