Bug 56312 - Group rights gives unrestricted access
Summary: Group rights gives unrestricted access
Alias: None
Product: Bugzilla
Classification: Community
Component: Bugzilla General   
(Show other bugs)
Version: 2.8
Hardware: All
OS: Linux
medium vote
Target Milestone: ---
Assignee: David Lawrence
QA Contact: David Lawrence
Keywords: Security
Depends On:
TreeView+ depends on / blocked
Reported: 2001-11-15 13:13 UTC by Alex Schuilenburg
Modified: 2007-04-18 16:38 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2004-06-17 14:51:19 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

Description Alex Schuilenburg 2001-11-15 13:13:11 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:0.9.5) Gecko/20011012

Description of problem:
I created an "ascom" group bug+contract for ASCOM (customer) to allow them
to create private/shared eCos bugs.  I gave their lead engineer (a trusted
person) "Can put people in and out of groups that they are members of."
access and he reported that he had complete access to modify all options
(i.e. "Check which Bugzilla group(s) you wish this member to be in.") for
himself, and thereby give himself full access.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Create new group
2. Add a member to the group who is not a member of any other group
3. Log on as that member
4. Select query
5. Select modify member options, enter member id
6. Observe modifyable "Check which Bugzilla group(s) you wish this member
to be in." fields.

Expected Results:  Only groups the person is a member of should be listed
in "Check which Bugzilla group(s) you wish this member to be in."

We need a "Can put people in and out of any groups" option for
administrators, and a "Can put people in and out of groups that they are
members of" for group administrators option IMHO.

Additional info:

Comment 1 David Lawrence 2001-11-15 15:30:23 UTC
This is actually a current feature of Bugzilla 2.14 that we are not yet running
yet. We will be migrating to that hopefully in the future. Unfortunately as the
system is right now, a person who has the ability to edit group memberships can
do so for anyone else even himself. With the new Bugzilla there is a separate
option for each person where they can "bless" others into the groups they belong
to if an admin gives them that ability. This is what you are looking for so
hopefully it will not be long.

Note You need to log in before you can comment on or make changes to this bug.