Security/Reviews/BZBrowserID
Jump to navigation
Jump to search
Please use "Edit with form" above to edit this page.
Item Reviewed
| Bugzilla Extension for BrowserID | |
| Target | http://bzr.mozilla.org/bugzilla/extensions/browserid/trunk/files
Login interface: http://www.bugzilla.org/docs/4.0/en/html/api/Bugzilla/Auth/Login.htmlbug 698808 |
{{#set:SecReview name=Bugzilla Extension for BrowserID |SecReview target=http://bzr.mozilla.org/bugzilla/extensions/browserid/trunk/files
Login interface: http://www.bugzilla.org/docs/4.0/en/html/api/Bugzilla/Auth/Login.html bug 698808
}}
Introduce the Feature
Goal of Feature, what is trying to be achieved (problem solved, use cases, etc)
- extension to Bugzilla for BrowserID logins
- this is an alternative, can still use the old ways
- will only work if you have no more than basic permissions
- "editbugs" and/or "canconfirm", plus "everyone" (obviously)
- answer: http://bzr.mozilla.org/bugzilla/extensions/browserid/trunk/annotate/head:/lib/Login.pm#L92
What solutions/approaches were considered other than the proposed solution?
- the current way to login
Why was this solution chosen?
- want to extend the use of BrowserID
- easier to login with BrowserID
Any security threats already considered in the design and why?
- higher rights users can not use this
- easy to disable if we find a problem
- same as the set of threats to BrowserID/Persona
Threat Brainstorming
' {{#set: SecReview feature goal=* extension to Bugzilla for BrowserID logins
- this is an alternative, can still use the old ways
- will only work if you have no more than basic permissions
- "editbugs" and/or "canconfirm", plus "everyone" (obviously)
- answer: http://bzr.mozilla.org/bugzilla/extensions/browserid/trunk/annotate/head:/lib/Login.pm#L92
|SecReview alt solutions=* the current way to login |SecReview solution chosen=* want to extend the use of BrowserID
- easier to login with BrowserID
|SecReview threats considered=* higher rights users can not use this
- easy to disable if we find a problem
- same as the set of threats to BrowserID/Persona
|SecReview threat brainstorming=' }}
Action Items
| Action Item Status | Complete | ||||||||||||||||||||
| Release Target | ` | ||||||||||||||||||||
| Action Items | |||||||||||||||||||||
|
|||||||||||||||||||||
{{#set:|SecReview action item status=Complete
|Feature version=`
|SecReview action items=
| Who | Action | By When | Completed date
[NEW] new [DONE] Done [MISSED] Miss |
| Gerv | Update code to check for absence of "nobrowserid" group | [DONE] Done (http://bzr.mozilla.org/bugzilla/extensions/browserid/trunk/revision/8) | |
| Gerv | File bug on full verifier support (non blocker) | [DONE] Done - bug 737480 | |
| Gerv | At appropriate moment, rename any UI elements to new branding | not needed | |
| Gerv | Create nobrowserid group and put relevant groups in it - all security, HR, legal | [DONE] Done |
}}