Closed
Bug 179207
Opened 22 years ago
Closed 22 years ago
Blessing doesn't work right
Categories
(Bugzilla :: User Accounts, defect)
Tracking
()
RESOLVED
FIXED
Bugzilla 2.18
People
(Reporter: gerv, Assigned: myk)
References
Details
Attachments
(1 file, 1 obsolete file)
912 bytes,
patch
|
justdave
:
review+
|
Details | Diff | Splinter Review |
According to userprefs.cgi, I can bless only canconfirm and editbugs. However, I just tested, and I can bless other groups as well. This could be because I've got a fair number of admin privs - so either the userprefs should notice and say "You can bless anyone", or blessing is broken. Gerv
Assignee | ||
Comment 1•22 years ago
|
||
This could be a security bug. Securing until someone figures it out.
Group: webtools-security
Comment 2•22 years ago
|
||
myk, what does: SELECT user_group_map.* FROM user_group_map, profiles WHERE user_group_map.user_id = profiles.user_id AND profiles.login_name = 'gerv@mozilla.org' give? What permissions does your editusers page claim that you have?
Reporter | ||
Comment 3•22 years ago
|
||
My editusers page says that I am a member of every group going except "security" (Mozilla security) and "Inactive Bugs". It says I can bless canconfirm and editbugs. My user preferences permissions page says: You have the following permission bits set on your account: canconfirm Can confirm a bug. creategroups Can create and destroy groups. editbugs Can edit all aspects of any bug. editcomponents Can create, destroy, and edit components. editkeywords Can create, destroy, and edit keywords. editusers Can edit or disable users inactivebugs Inactive Bugs mozillaorgconfidential mozilla.org Confidential netscapeconfidential Netscape Confidential tweakparams Can tweak operating parameters webtools-security Webtools Security-Sensitive Bug And you can turn on or off the following bits for other users: canconfirm Can confirm a bug. editbugs Can edit all aspects of any bug. I can add bbaetz to, and remove him from, and allow him to bless, and stop him blessing, the following sample groups: editusers (of which I am a member), inactive bugs (of which I am not a member) and mozillaorgconfidential. Gerv
Comment 4•22 years ago
|
||
Anyone with editusers can bless anything, correct? Was Gerv previosuly not in editusers?
Reporter | ||
Comment 5•22 years ago
|
||
No, I've always been in editusers. But I don't think having the editusers privilege should mean anyone can do anything - you need editusers just to _see_ the editusers page; surely, then, it should present you with only the options you are allowed to change? Otherwise the whole concept of blessing falls apart. Gerv
Comment 6•22 years ago
|
||
This is exactly the way that 2.16 works. editusers makes blessgroupset irrelevent.
Comment 7•22 years ago
|
||
See bug 145849 Blessers are permitted to see the user edit. Editusers means you can bless anything.
Reporter | ||
Comment 8•22 years ago
|
||
So editusers is equivalent to a person being given all the bless bits? There's two things here. Firstly, the user prefs page should say that I can bless any, if that's the truth. Secondly, I think we should therefore eliminate the editusers group in favour of just checking all the boxes for a particular user. is this still a security issue, if it's working as designed? Gerv
Comment 9•22 years ago
|
||
OK, this replaces the list of groups in the prefs UI with a statement that the user can edit all the users anyway.
Reporter | ||
Comment 10•22 years ago
|
||
You should be getting the editusers value from either the user.groups object or (better) UserInGroup("editbugs"), for consistency and understandability. Gerv
Comment 12•22 years ago
|
||
Comment on attachment 105692 [details] [diff] [review] UI change r=justdave a=justdave IF you remove the QA contact stuff from this patch before checking in. That's a different bug.
Attachment #105692 -
Flags: review+
Comment 14•22 years ago
|
||
Comment on attachment 105693 [details] [diff] [review] Cleaner patch r=justdave
Attachment #105693 -
Flags: review+
Comment 15•22 years ago
|
||
Checking in permissions.html.tmpl; 2,13 All /cvsroot/mozilla/webtools/bugzilla/template/en/default/account/prefs/permissions .html.tmpl,v <-- permissions.html.tmpl new revision: 1.4; previous revision: 1.3 done
Status: NEW → RESOLVED
Closed: 22 years ago
Resolution: --- → FIXED
Updated•22 years ago
|
Target Milestone: --- → Bugzilla 2.18
Updated•12 years ago
|
QA Contact: matty_is_a_geek → default-qa
You need to log in
before you can comment on or make changes to this bug.
Description
•