RPG-support Posted June 5, 2016 Share Posted June 5, 2016 Your team has its own corporate undestanding of what the bug is. On the example of 2 obvious security breaches which were not considered the bugs. Link to comment Share on other sites More sharing options...
opentype Posted June 5, 2016 Share Posted June 5, 2016 1 hour ago, RPG-support said: Your team has its own corporate undestanding of what the bug is. No. It's the common understanding. Check the definition on Wikipedia if you like: “… produce an incorrect or unexpected result, or to behave in unintended ways”. If the reports you link show expected results from the point of view of the developers(!), then they are not bugs. It’s that simple. Post your recommendations in the feedback forums as it was suggested to you. These “I don’t like it that way, it must be bug” discussions come up all the time, but they never lead anywhere. Not even your exaggerated claim of a “security breach” won’t change the definition of a bug. Link to comment Share on other sites More sharing options...
RPG-support Posted June 5, 2016 Author Share Posted June 5, 2016 26 minutes ago, opentype said: Check the definition on Wikipedia if you like: “… produce an incorrect or unexpected result, or to behave in unintended ways”. If the reports you link show expected results from the point of view of the developers(!), then they are not bugs. It’s that simple. Well, this was your idea to check the definition. Here it is coming: Quote A software bug is an ►error, flaw, failure or fault◄ in a computer program or system that causes it to produce an incorrect or unexpected result, or to behave in unintended ways. Most bugs arise from mistakes and errors made by people in either a program's source code or its design, or in frameworks and operating systems used by such programs, and a few are caused by compilers producing incorrect code. A program that contains a large number of bugs, and/or bugs that seriously interfere with its functionality, is said to be buggy or defective. Reports detailing bugs in a program are commonly known as bug reports, defect reports, fault reports, problem reports, trouble reports, change requests and so forth. There is no any "developers' point of view" in this ↑ 26 minutes ago, opentype said: Not even your exaggerated claim of a “security breach” won’t change the definition of a bug. I do not try to change the definition of the bug since it suits well to this case. I am just saying that this is not free of cost software and people may know the truth: there is no security in uploading their personal photographs to the so called protected categories. Link to comment Share on other sites More sharing options...
opentype Posted June 5, 2016 Share Posted June 5, 2016 43 minutes ago, RPG-support said: There is no any "developers' point of view" in this ↑ Really? You have not only read the definition, but also the further explanation and still want to twist it? What about that paragraph you don’t understand? Of course it’s all about the developers: “mistakes and errors made by people in either a program's source code or its design, or in frameworks and operating systems used by such programs, and a few are caused by compilers producing incorrect code”. It’s clearly about the software and the people MAKING the software, not about what the users might think and want. Both the short definition I posted as well as the longer text you posted fully support what I said and leave no room to turn that around. 50 minutes ago, RPG-support said: I do not try to change the definition of the bug since it suits well to this case. I am just saying that this is not free of cost software and people may know the truth: there is no security in uploading their personal photographs to the so called protected categories. Again: Make a feedback post about it. Functionalities can change. Descriptions of permission settings can change to make more clear, that for example, a “view image permission” refers to the the page with the image, not a direct image URL call. Follow this procedure and that’s the best chance to get heard. Making wrong claims about what a bug is only gets you roped in a discussion about what a bug is and distracts from what you actually want … Link to comment Share on other sites More sharing options...
RPG-support Posted June 5, 2016 Author Share Posted June 5, 2016 16 minutes ago, opentype said: It’s clearly about the software and the people MAKING the software, not about what the users might think and want. Bad users want software without bugs but wise developers do not see any bugs. Is it strange? Google pays for bugs to general people, not to the developers. What in the "see images" group permission rule you do not understand? 16 minutes ago, opentype said: Descriptions of permission settings can change to make more clear, that for example, a “view image permission” refers to the the page with the image, not a direct image URL call. This is your dream I think. This is obviously not so. 16 minutes ago, opentype said: Making wrong claims about what a bug is only gets you roped in a discussion about what a bug is and distracts from what you actually want … I do not think that my message is wrong. It is correctly posted in the correct place: company feedback. Link to comment Share on other sites More sharing options...
Colonel_mortis Posted June 5, 2016 Share Posted June 5, 2016 Being able to view an image by visiting the direct URL isn't a bug though. As Andy explained, the image URL is obfuscated, so the only way it would become accessible to a member without view permission would be if the image URL was copied by someone who did have permission to view it, and posted somewhere else. At that point, there's nothing you can do, because even if you did check for view permission before displaying the image, a user with permission could also share a screenshot, or download the image and upload it somewhere else. You said in the bug report that Quote URL may be obtained from the search engine like Google images That is only true if a page where the image is embedded is visible to guests, in which case the user doesn't need to use Google images at all. Link to comment Share on other sites More sharing options...
RPG-support Posted June 5, 2016 Author Share Posted June 5, 2016 15 minutes ago, Colonel_mortis said: That is only true if a page where the image is embedded is visible to guests, in which case the user doesn't need to use Google images at all. Sometimes people change category permissions. And the url will work always even if you do not want this now. 15 minutes ago, Colonel_mortis said: a user with permission could also share a screenshot, or download the image and upload it somewhere else This does not mean that we should not take actions to prevent personal data leakage on the software level. What people do is the problem of the site owner and moderators but they should have properly protected software. So, your logic is only partially good. Link to comment Share on other sites More sharing options...
RPG-support Posted June 5, 2016 Author Share Posted June 5, 2016 1 hour ago, opentype said: Really? You have not only read the definition, but also the further explanation and still want to twist it? What about that paragraph you don’t understand? Of course it’s all about the developers: “mistakes and errors made by people in either a program's source code or its design, or in frameworks and operating systems used by such programs, and a few are caused by compilers producing incorrect code”. It’s clearly about the software and the people MAKING the software But this (bold text) does not mean that the flaw in the software is the bug by the developers' opinion only as you claimed. Link to comment Share on other sites More sharing options...
Management Lindy Posted June 6, 2016 Management Share Posted June 6, 2016 Let me explain how our development works as of this year. We have development and engineering. Bugs are fixed by general development, except in the case of something that requires restructuring has large impact, etc. In those cases, it is sent for engineering review. Generally speaking, anything that changes the intended behavior of the product is not within the scope of one developer to change/address/resolve within a bug report. Such things need to go through general feedback to ensure internal teams are aware and have input into any changes. In this case, let's say Andy makes a change to inherit permissions. He may not be aware that: engineering spec'd it that way for performance reasons (he was actually aware of this) or that sales markets this as a feature via sales inquiries or that support would need to know to consider someone getting an error that previously didn't to be the new "intended behavior." So, it's not a bug, it was done intentionally and the only way to change that per IPS policy is to follow the appropriate protocol. Link to comment Share on other sites More sharing options...
opentype Posted June 6, 2016 Share Posted June 6, 2016 7 hours ago, RPG-support said: But this (bold text) does not mean that the flaw in the software is the bug by the developers' opinion only as you claimed. I didn’t say “opinion”, because this isn’t a matter of opinion. I said “expected results from the point of view of the developers”. The key word to focus on here is “expected” (result). If being able to access the image URL directly independent from the permission settings was set up this way by the developers, it is not a bug. If it happens, but they didn’t meant to have that behavior, it is a bug. That’s why I added the “point of view of the developers”. As users we can not always know what the intended behavior is, but once a staff member has checked it out and confirmed that this behavior is indeed intended, we/you need to accept that it is not a bug. 8 hours ago, RPG-support said: It is correctly posted in the correct place: company feedback. But you didn’t make a feature request about these things (which would be the recommended and most constructive thing to do), but instead complained about a supposed different understanding of bugs. Link to comment Share on other sites More sharing options...
Hitori Bocchi Posted June 6, 2016 Share Posted June 6, 2016 10 hours ago, Colonel_mortis said: Being able to view an image by visiting the direct URL isn't a bug though. As Andy explained, the image URL is obfuscated, so the only way it would become accessible to a member without view permission would be if the image URL was copied by someone who did have permission to view it, and posted somewhere else. At that point, there's nothing you can do, because even if you did check for view permission before displaying the image, a user with permission could also share a screenshot, or download the image and upload it somewhere else. You said in the bug report that That is only true if a page where the image is embedded is visible to guests, in which case the user doesn't need to use Google images at all. You cannot wrap up those things. You can share a link, not knowing that the one you share it with has no permissions to view it, but if you go that far to make a screenshot of it or reupload it, instead of linking the picture, that means you are already aware of the other person having no rights to view it. So your first assumption would have to be, that the user is innocent sharing it and not guilty simply because he could share it in other ways. How does it behave if you link such a picture in the forum? Is it visible to all? Is there any way to tell, that the picture you are about to link is in a album with limited permission? How good is the visibility of those warning(s)? Link to comment Share on other sites More sharing options...
RPG-support Posted June 6, 2016 Author Share Posted June 6, 2016 2 hours ago, opentype said: I didn’t say “opinion”, because this isn’t a matter of opinion. I said “expected results from the point of view of the developers”. Expected result and the opinion are the same in this context. Because users may also have opinion and expected result. This is not the matter of the deep wise philosophical jugglery of words. You simply do not want to see the obvious things: See images group permission is the thing that intended for hiding images. But it is hiding the php pages at the moment, not the images. Link to comment Share on other sites More sharing options...
RPG-support Posted June 6, 2016 Author Share Posted June 6, 2016 6 hours ago, Lindy said: Such things need to go through general feedback to ensure internal teams are aware and have input into any changes. Let us change the accepted by default practice when bug reporter has to go to the feedback forum and left the opinion. Most opinions are without the company feedback on the feedback forum. From the general user point of view the reported situation is not the expected software behaviour but rather the unwanted flaw in the software wich is in accordance with the bug definition (see above). So, make your workers report the bug themselves instead of always telling people to left the opinion. Link to comment Share on other sites More sharing options...
opentype Posted June 6, 2016 Share Posted June 6, 2016 41 minutes ago, RPG-support said: Expected result and the opinion are the same in this context. No. 41 minutes ago, RPG-support said: Because users may also have opinion and expected result. Of course. But their opinion is completely irrelevant in regards to whether something is actually a bug or not. What is a bug ONLY depends on whether the developers have indented a certain behavior or not. So can you please let this go now? You were wrong and you quoted the definition yourself to prove it. Stop being stubborn about it. Nothing wrong with being wrong and learning something new. 41 minutes ago, RPG-support said: You simply do not want to see the obvious things: See images group permission is the thing that intended for hiding images. No, it is not. This might have been your expectation, but it is not how the developers have set it up, ergo it’s not a bug. This has been explained to you now so many times by different people. I’m out now. If you still don’t understand it, you just don’t want to understand it. Link to comment Share on other sites More sharing options...
RPG-support Posted June 6, 2016 Author Share Posted June 6, 2016 18 minutes ago, opentype said: Stop being stubborn about it. I like to be stubborn in the sense resolute. Thank you for your complement. 18 minutes ago, opentype said: But their opinion is completely irrelevant in regards to whether something is actually a bug or not. What is a bug ONLY depends on whether the developers have indented a certain behavior or not You think that there are 2 opinions only: 1) users and 2) developers. But there are another points o view in the world. World is not as small as your close understanding of the matter of this topic. So there are another points of view: 3) comon sence and 4) general accepted practice of doing things. From the point 3 (comon sence) - bugs may be noticed by the users also even if the developers are not following the comon sence in the product planning and development. From the point 4 (general accepted practice of doing things) - all major companies accept security bugs from the users. For example FB paid the user for finding the secuity breach wich allowed to see the private photos of the another user. 18 minutes ago, opentype said: I’m out now. Thank you for your time. Your posts made the situation more clear and the understanding of the problem more deeper. Have a nice time! Link to comment Share on other sites More sharing options...
Colonel_mortis Posted June 6, 2016 Share Posted June 6, 2016 45 minutes ago, RPG-support said: You think that there are 2 opinions only: 1) users and 2) developers. But there are another points o view in the world. World is not as small as your close understanding of the matter of this topic. So there are another points of view: 3) comon sence and 4) general accepted practice of doing things. From the point 3 (comon sence) - bugs may be noticed by the users also even if the developers are not following the comon sence in the product planning and development. From the point 4 (general accepted practice of doing things) - all major companies accept security bugs from the users. For example FB paid the user for finding the secuity breach wich allowed to see the private photos of the another user. From a user's point of view, this can seem like a bug, and it therefore makes sense that it is reported. From a developer's point of view, this is working as intended, and is the result of a very deliberate design decision, because doing it any other way would cause a considerable performance impact when loading any image in the suite. There are already mitigating factors in place, as has been explained above, so, even if you have a very strong case to support changing it, it has to be changed via feedback, not a bug report, because it is working as intended. From a common sense point of view is the same as a user's - it may seem like a bug, but that doesn't necessarily mean that it is a bug. From a generally accepted practice point of view, this is not a bug. I uploaded a picture to Facebook, and set the privacy to "only me". That means that nobody else can see it, right? The direct URL of that image is https://scontent-lhr3-1.xx.fbcdn.net/v/t1.0-9/13327402_1136905086380718_6728779455474510633_n.jpg?oh=8d839ea693a280cf5fcb9bf567675433&oe=57CE90FD. You can view that image, even though you don't have permission to view it on Facebook. That is not a bug. The Facebook bug that you are referring to would have allowed a user to view all images submitted by a user, and would be similar to going to the user's activity feed and seeing everything, whether you have permission to view it or not. Being able to access an image directly via a URL is very common among large websites, because the images are stored completely separately from the logic, and are optimised to be served quickly and efficiently, which is not possible if checking authentication. 2 hours ago, Hitori Bocchi said: You cannot wrap up those things. You can share a link, not knowing that the one you share it with has no permissions to view it, but if you go that far to make a screenshot of it or reupload it, instead of linking the picture, that means you are already aware of the other person having no rights to view it. So your first assumption would have to be, that the user is innocent sharing it and not guilty simply because he could share it in other ways. How does it behave if you link such a picture in the forum? Is it visible to all? Is there any way to tell, that the picture you are about to link is in a album with limited permission? How good is the visibility of those warning(s)? Sharing a link to the album/post/etc where the image resides is the typical way of sharing the image, and that respects view permissions. If you were going to share an image, you would copy the gallery URL, then paste it into the thread. If you did right click and copy the image location, then paste it into a thread, then yes, that would allow other users to view it, and I guess that could, under certain circumstances, be undesirable. However, most of the time, if an image is private, and it actually matters that it remains private, then everybody who does have permission to view the image would know that it is not public, and would not distribute it. This is the same way that it works on Facebook, as well as most other websites on the internet. It may not be perfect, but perfect isn't possible to achieve in this case, so it is a trade-off between not wasting performance, and preventing people from accidentally sharing a permission-protected image. One thing IPS could do which would help this issue would be to make gallery embeds actually embed the whole image, rather than just a pretty useless preview. That would mean that you can paste the gallery URL rather than the image URL to show the full page image, and permission checks can then be done when the image is shared. It wouldn't stop people from ever copying the image URL, but it would help prevent people from sharing it without thinking about the permissions. Link to comment Share on other sites More sharing options...
opentype Posted June 6, 2016 Share Posted June 6, 2016 Just a though for @Lindy and the team: maybe bug reports and feature requests could just be different categories in ONE Pages database. Both types could be added as before, but once a bug report turns out to be working as intended, it could easily be moved to the feature request category. And in addition that category could make use of the Pages features, for example to set and filter the status (planned/not planned/…), assign departments, staff members, version numbers and so on. All the nice things Pages offers. :-) Link to comment Share on other sites More sharing options...
Hitori Bocchi Posted June 6, 2016 Share Posted June 6, 2016 12 minutes ago, Colonel_mortis said: Sharing a link to the album/post/etc where the image resides is the typical way of sharing the image, and that respects view permissions. If you were going to share an image, you would copy the gallery URL, then paste it into the thread. If you did right click and copy the image location, then paste it into a thread, then yes, that would allow other users to view it, and I guess that could, under certain circumstances, be undesirable. However, most of the time, if an image is private, and it actually matters that it remains private, then everybody who does have permission to view the image would know that it is not public, and would not distribute it. My standard is actually taking the URL from the image and not the link to the album and that is the standard across other forum softwares aswell. I had to add to my site a share this link, like in vB and xenforo, because the IPB standard here is quite useless. If it would display in the way you suggested it might be usefull, but as it is now it's a "standard" image board owners necessarily have to avoid. Link to comment Share on other sites More sharing options...
RPG-support Posted June 6, 2016 Author Share Posted June 6, 2016 1 hour ago, Colonel_mortis said: From a generally accepted practice point of view, this is not a bug. I uploaded a picture to Facebook, and set the privacy to "only me". Facebook is not only the case, there is also Gmail. Otherwise your example is the user's opinion but not the general practice. The general pratice is going towards increasing of security whereas IPS is not. Below is the clear example. This screenshot is showing the url of the attached to the letter image in Gmail. Obviously this url can not be used to share the private information (image) in Internet. And here is the the url of the image attached to the personal message in the IP Suite. Obviously this url can be used to share the private information (image) in Internet. Link to comment Share on other sites More sharing options...
RPG-support Posted June 6, 2016 Author Share Posted June 6, 2016 1 hour ago, Colonel_mortis said: This is the same way that it works on Facebook, as well as most other websites on the internet. This is obviously not so as shown on the Gmail example above. 1 hour ago, Colonel_mortis said: It may not be perfect, but perfect isn't possible to achieve in this case, so it is a trade-off between not wasting performance, and preventing people from accidentally sharing a permission-protected image. I do not agree with the " wasting perfomance" argument. Until there are not particular figures showing the difference in perfomance, your argument is not telling the truth. Don't you agree that adding images into the separate folders (1 Gallery category = 1 image folder) will help to check the permission rules (including image url) on the per category/folder basis? Link to comment Share on other sites More sharing options...
Management Matt Posted June 6, 2016 Management Share Posted June 6, 2016 I'm going to go ahead and lock this. RPG, we often butt heads in the bug tracker, and I don't think arguing semantics is really helping anyone. Feel free to contact me via a support ticket or PM if you want to talk or push for a code change because of feedback you wish to give. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.