Red Hat Bugzilla – Bug 56312
Group rights gives unrestricted access
Last modified: 2007-04-18 12:38:18 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:0.9.5) Gecko/20011012
Description of problem:
I created an "ascom" group bug+contract for ASCOM (customer) to allow them
to create private/shared eCos bugs. I gave their lead engineer (a trusted
person) "Can put people in and out of groups that they are members of."
access and he reported that he had complete access to modify all options
(i.e. "Check which Bugzilla group(s) you wish this member to be in.") for
himself, and thereby give himself full access.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Create new group
2. Add a member to the group who is not a member of any other group
3. Log on as that member
4. Select query
5. Select modify member options, enter member id
6. Observe modifyable "Check which Bugzilla group(s) you wish this member
to be in." fields.
Expected Results: Only groups the person is a member of should be listed
in "Check which Bugzilla group(s) you wish this member to be in."
We need a "Can put people in and out of any groups" option for
administrators, and a "Can put people in and out of groups that they are
members of" for group administrators option IMHO.
This is actually a current feature of Bugzilla 2.14 that we are not yet running
yet. We will be migrating to that hopefully in the future. Unfortunately as the
system is right now, a person who has the ability to edit group memberships can
do so for anyone else even himself. With the new Bugzilla there is a separate
option for each person where they can "bless" others into the groups they belong
to if an admin gives them that ability. This is what you are looking for so
hopefully it will not be long.