Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
Bug 56312 - Group rights gives unrestricted access
Group rights gives unrestricted access
Product: Bugzilla
Classification: Community
Component: Bugzilla General (Show other bugs)
All Linux
medium Severity medium (vote)
: ---
: ---
Assigned To: David Lawrence
David Lawrence
: Security
Depends On:
  Show dependency treegraph
Reported: 2001-11-15 08:13 EST by Alex Schuilenburg
Modified: 2007-04-18 12:38 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2004-06-17 10:51:19 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Alex Schuilenburg 2001-11-15 08:13:11 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:0.9.5) Gecko/20011012

Description of problem:
I created an "ascom" group bug+contract for ASCOM (customer) to allow them
to create private/shared eCos bugs.  I gave their lead engineer (a trusted
person) "Can put people in and out of groups that they are members of."
access and he reported that he had complete access to modify all options
(i.e. "Check which Bugzilla group(s) you wish this member to be in.") for
himself, and thereby give himself full access.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Create new group
2. Add a member to the group who is not a member of any other group
3. Log on as that member
4. Select query
5. Select modify member options, enter member id
6. Observe modifyable "Check which Bugzilla group(s) you wish this member
to be in." fields.

Expected Results:  Only groups the person is a member of should be listed
in "Check which Bugzilla group(s) you wish this member to be in."

We need a "Can put people in and out of any groups" option for
administrators, and a "Can put people in and out of groups that they are
members of" for group administrators option IMHO.

Additional info:
Comment 1 David Lawrence 2001-11-15 10:30:23 EST
This is actually a current feature of Bugzilla 2.14 that we are not yet running
yet. We will be migrating to that hopefully in the future. Unfortunately as the
system is right now, a person who has the ability to edit group memberships can
do so for anyone else even himself. With the new Bugzilla there is a separate
option for each person where they can "bless" others into the groups they belong
to if an admin gives them that ability. This is what you are looking for so
hopefully it will not be long.

Note You need to log in before you can comment on or make changes to this bug.