Bug 489756
Summary: | non-privileged users able to remove others from the CC list | ||
---|---|---|---|
Product: | [Community] Bugzilla | Reporter: | Vincent Danen <vdanen> |
Component: | Creating/Changing Bugs | Assignee: | Simon Green <sgreen> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | low | ||
Version: | 3.6 | CC: | agk, ebaak, kbaker, kseifried, kurt |
Target Milestone: | --- | Keywords: | FutureFeature, Reopened |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Enhancement | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2012-07-01 20:48:33 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Vincent Danen
2009-03-11 17:58:54 UTC
Hi Vincent, I don't really think this is a big issue really, and I agree with upstream that people who are able to add others to the cc list should be able to remove them as well. only people who have access to the bugs can do that as bugs can either be public or it can be associated with private groups so only people in those groups can do changes to the bugs including cclist changes. i am not sure about that security related bug you are talking about, as regular users don't have access to security bugs, please give us an example of a bug number that was accessed and changed by an unauthorized user. also another thing is that if any user gets removed from the cclist then they get notified by email that they have been removed. Noura No, it wasn't a private security bug, it was a public one. Obviously group restrictions would prevent someone from changing the cclist of a private bug; that's not what I'm talking about. Also, I didn't mean to imply that *this* is a security bug. I just think it's wrong behaviour that if I add myself to the cclist of a public bug, any average joe can remove me. Sure, I'd get an email about it, and can add myself back, but I don't think that should be something that just anyone should be able to do. Well it's not just deleting people off the list but I can add joe random as well. Assuming this behaves as described (and I haven't tested it) how often do people have a genuine reason to remove other people from bugs? How often do people accidentally/deliberately remove other people when they shouldn't? Could the cure cause more hassle than the problem? The thing that causes me most trouble in this area is when someone takes a bug assigned to me and reassigns it to someone else without adding me to the cc - I'd like an option to say 'always add me to the cc if someone else takes ownership of a bug away from me'. Red Hat Bugzilla is now using version 3.4 of the Bugzilla codebase and therefore this feature will need to be implemented against the new release. Updating bug version to 3.2. Red Hat has now upgraded to Bugzilla 3.6 and this bug will now be reassigned to that version. It would be helpful to the Bugzilla Development Team if this bug is verified to still be an issue with the latest version. If it is no longer an issue, then feel free to close, otherwise please comment that it is still a problem and we will try to address the issue as soon as we can. Thanks Bugzilla Development Team Still works, I went to Bug 489755 and deleted tscherf from it and then re-added him. You can go to any bug and add/remove anyone from the CC list. This was fixed upstream as part of the Bugzilla 4.2 release. https://bugzilla.mozilla.org/show_bug.cgi?id=28849 -- simon kurt 2012-06-20 01:14:28 EDT CC tkramer kurt kurt 2012-06-20 01:14:50 EDT CC tkramer And we're still vulnerable, I was able to do this from my personal account (picked a random open bug, removed/added tkramer back in. For reference it was https://bugzilla.redhat.com/show_activity.cgi?id=799187 This behaves correctly for me: using a non-privileged account, I only have the option to remove myself, not other people. Does fedora_contrib which you have on that test account provide additional permissions? Ah, interesting, I have confirmed that this does indeed behave properly, I created another account, it is unable to remove users. So yes, my kurt appears to have some additional privileges (likely due to the Fedora stuff). Thanks! |