Archive for May, 2013

Understanding Bugzilla groups and admin rights

Tuesday, May 28th, 2013

As part of my work for the Wikimedia Foundation I recently tried to understand Bugzilla groups a bit better, specifically which tasks can only be done by Bugzilla administrators. In general, permissions to do stuff in Bugzilla (e.g. editing keywords, components, etc.) are defined by groups in Bugzilla, and Bugzilla users get membership in certain groups, manually or automatically.

Bugzilla logo by Dave Shea

Bugzilla logo by
Dave Shea

Membership in the Bugzilla admin group is always required for the following general tasks:

  • viewing the generated SQL query by using the &debug=1 URL parameter
  • deleting attachments (instead of just marking them as private)
  • editing Bugzilla field values (editvalues.cgi) and editing custom fields (editfields.cgi)
  • editing the bug status workflow (editworkflow.cgi)
  • editing (or banning/blocking) Bugzilla accounts, e.g. in case of violations against the Code of Conduct of your project. This is inherited from the editusers group membership: editusers group membership de facto means admin group membership, as an account with editusers group membership can edit his/her account and set admin group membership.

The list above is not necessarily complete. (Thanks to Byran Jones for input.)

Then there are tasks that might require membership in the Bugzilla admin group, depending on the configuration of your Bugzilla instance:

  • Marking comments and attachments as private and accessing comments and attachments marked as private requires membership in the insidergroup. Manual membership of individuals is not possible, the group can only be set to be another existing group. The insidergroup group might be set to the admin group in your configuration.
  • Inherited group membership: Bugzilla allows defining automatic group membership in group X if an account is member of the group Y or if the account’s email address matches a specific regex defined for a group. The default automatic group membership inclusions of the admin group are tweakparams, editusers, creategroups, editcomponents, editkeywords. It is worth to check your configuration if certain groups automatically inherit membership for either the admin or the editusers group.
  • Creating charts requires membership in the chartgroup (chart.cgi). Manual membership of individuals is not possible, the group can only be set to be another existing group. It is by default set to the admin group in Bugzilla.

I hope this is helpful for other Bugzilla admins out there, as I could not find much documentation. One day I might turn this into a patch for Bugzilla upstream documentation.