Security | Professional Java Tools for Extreme Programming: Ant, XDoclet, JUnit, Cactus, and Maven (Programmer to Programmer)

As we have mentioned, Bugzilla can track many projects at once. However, it may not make sense to allow users of the Employee Self Services system to enter bugs for the Cafeteria Inventory Management system, for example. You may also run a services company with many clients and use Bugzilla to track bugs for all projects, but you would not want different clients to know about one another. Bugzilla supports basic user and group -level security for these needs. This section describes how to configure Bugzilla for bug groups.

Step 1--Create a New User

In order to test security, we'll first need to add a non-administrator user to Bugzilla.

From the main menu, log out.
The menu will now include a New Account option. Select this link and create a new account with an alternate e-mail address you have access to. Bugzilla creates a random password and sends it to the e-mail address given.
Log in as the new user and change the password to something you will remember, using the Prefs hyperlink.
Log out, and log back in as the administrator account.

Step 2--Configure Bugzilla

Logged in as the administrator account, we can now configure Bugzilla. From the Actions menu, choose the Parameters option. Near the top of the page are two options that need to be set to On for bug groups, as shown in the next figure.

Save the Parameters page. Bugzilla has now created bug groups. What does this mean? Whenever a new product is added, Bugzilla automatically creates a bug group for that product. Users must be members of these groups in order to see the products in the system and, therefore, to enter or search for bugs related to that product. The administrator user will automatically be able to see bugs for all products.

In many cases this setting may be turned on after there are already products in the system. To handle this, create a new group with a group name exactly matching the product name . This is explained in Step 3 below.

Step 3--Administer Groups

First, we will verify that by default, users cannot see bugs for products they do not have access to. Create a new product called SecretProduct in Bugzilla. Be sure to leave the User Regex field blank so that no users are added to the bug group that will be automatically created. Log out of the administrator account, and log in as the user created in Step 1. The user is greeted with the Search For Bugs screen upon a successful login. However, SecretProduct does not appear as a product that may be searched. The user has no access to this bug group.

To grant access, log the test user out and reenter Bugzilla as the administrator account. In the Edit menu at the bottom of the Bugzilla screen, select the Users hyperlink to make some changes to the test user. This leads to a search screen allowing you to look for users to edit. Type in the e-mail address of the test user and click Submit. The next screen contains the results of the search. Follow the hyperlink containing your test user's name to edit that user. In the middle of the resulting screen, shown in the next figure, is a list of groups to which you can add users.

Select SecretProduct to add the user to the bug access group, and save the user by clicking the Update button. Log back in as the test user, and you should now be able to see the product, its components , and its bugs!

Advanced Configuration

In addition to the parameters immediately set up upon installation, you may want to consider changing some other Bugzilla configuration options:

sendmailnow: Bugzilla by default will spool mail messages and not send them immediately. For quicker communication turn this setting on.
shutdownhtml: If you are upgrading Bugzilla (see below) or performing MySQL administration or just want to turn Bugzilla off for a while, you can create some HTML in this setting. Users attempting to use Bugzilla will see this HTML instead of any Bugzilla page. The only page that can still be navigated to is editparams.cgi, so remember that you may need to manually type the URL when it's time to turn Bugzilla back on. Erase the HTML to reenable Bugzilla.
usertargetmilestone: Often on an open -source project such as Mozilla, the project lists some features it expects to introduce or bugs it intends to fix by a certain milestone. By turning on this setting, you can let Bugzilla can track this information for you. You will now have options to edit milestones for products.

Another advanced configuration option is keeping up with the Bugzilla code base itself. The Bugzilla code exists in a CVS repository with anonymous access. Current information on the location of the repository and how to update it can be found at http://www.bugzilla.org/download.html . For detailed information on CVS commands, see Chapter 3.

Voting

Voting is a feature fairly unique to Bugzilla, and it suits open-source projects with somewhat decentralized management quite well. The basic premise of voting is that each Bugzilla user will have a certain number of votes to put toward bugs.

To turn on and configure voting, navigate to the Edit Parameters page and make sure the usevotes parameter is on. Voting is now configured on a product-by-product basis. Navigate to the Edit Products screen and select the Projosdev example product. There are three settings for voting on each product, as shown below:

The Maximum Votes Per Person setting indicates the most times a person can vote on this project. People can vote for the same bug more than once, up to the number of votes they have or the number specified in the second setting. Votes are really like a point system that allows the project team and its users to weight defects and enhancements and try to get the owners of the components in question to address these items sooner rather than later. You should configure these settings based on the estimated number of bugs in the product. For example, a product with, say, 30 modules should have a proportionally large number of votes allowed. The number of bugs currently active for the product is shown at the bottom of this screen.

Bugzilla users can vote for bugs on the Bug Detail screen. Choosing Vote For This Bug takes the users to a screen where they may assign as many votes to the bug as they like, up to the maximum number allowed for the product.