From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:0.9.5) Gecko/20011012 Description of problem: I created an "ascom" group bug+contract for ASCOM (customer) to allow them to create private/shared eCos bugs. I gave their lead engineer (a trusted person) "Can put people in and out of groups that they are members of." access and he reported that he had complete access to modify all options (i.e. "Check which Bugzilla group(s) you wish this member to be in.") for himself, and thereby give himself full access. Version-Release number of selected component (if applicable): How reproducible: Always Steps to Reproduce: 1. Create new group 2. Add a member to the group who is not a member of any other group 3. Log on as that member 4. Select query 5. Select modify member options, enter member id 6. Observe modifyable "Check which Bugzilla group(s) you wish this member to be in." fields. Expected Results: Only groups the person is a member of should be listed in "Check which Bugzilla group(s) you wish this member to be in." We need a "Can put people in and out of any groups" option for administrators, and a "Can put people in and out of groups that they are members of" for group administrators option IMHO. Additional info:
This is actually a current feature of Bugzilla 2.14 that we are not yet running yet. We will be migrating to that hopefully in the future. Unfortunately as the system is right now, a person who has the ability to edit group memberships can do so for anyone else even himself. With the new Bugzilla there is a separate option for each person where they can "bless" others into the groups they belong to if an admin gives them that ability. This is what you are looking for so hopefully it will not be long.