Closed Bug 179207 Opened 22 years ago Closed 22 years ago

Blessing doesn't work right

Categories

(Bugzilla :: User Accounts, defect)

Product:
Bugzilla
Component:
User Accounts
Version:
2.17
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
Bugzilla 2.18

People

(Reporter: gerv, Assigned: myk)

References

Details

Attachments

(1 file, 1 obsolete file)

Cleaner patch
912 bytes, patch
justdave
: review+
Details | Diff | Splinter Review 
According to userprefs.cgi, I can bless only canconfirm and editbugs. However, I
just tested, and I can bless other groups as well. This could be because I've
got a fair number of admin privs - so either the userprefs should notice and say
"You can bless anyone", or blessing is broken.

Gerv
This could be a security bug.  Securing until someone figures it out.
Group: webtools-security
Blocks: 179176
myk, what does:

SELECT user_group_map.* FROM user_group_map, profiles WHERE
user_group_map.user_id = profiles.user_id AND profiles.login_name =
'gerv@mozilla.org'

give?

What permissions does your editusers page claim that you have?
My editusers page says that I am a member of every group going except "security"
(Mozilla security) and "Inactive Bugs". It says I can bless canconfirm and editbugs.

My user preferences permissions page says:

 You have the following permission bits set on your account:

canconfirm Can confirm a bug.
creategroups Can create and destroy groups.
editbugs Can edit all aspects of any bug.
editcomponents Can create, destroy, and edit components.
editkeywords Can create, destroy, and edit keywords.
editusers Can edit or disable users
inactivebugs Inactive Bugs
mozillaorgconfidential mozilla.org Confidential
netscapeconfidential Netscape Confidential
tweakparams Can tweak operating parameters
webtools-security Webtools Security-Sensitive Bug

And you can turn on or off the following bits for other users:

canconfirm Can confirm a bug.
editbugs Can edit all aspects of any bug.

I can add bbaetz to, and remove him from, and allow him to bless, and stop him
blessing, the following sample groups: editusers (of which I am a member),
inactive bugs (of which I am not a member) and mozillaorgconfidential.

Gerv
Anyone with editusers can bless anything, correct?

Was Gerv previosuly not in editusers?


No, I've always been in editusers. But I don't think having the editusers
privilege should mean anyone can do anything - you need editusers just to _see_
the editusers page; surely, then, it should present you with only the options
you are allowed to change? Otherwise the whole concept of blessing falls apart.

Gerv

This is exactly the way that 2.16 works.

editusers makes blessgroupset irrelevent.






See bug 145849
Blessers are permitted to see the user edit.
Editusers means you can bless anything.


So editusers is equivalent to a person being given all the bless bits? 

There's two things here. Firstly, the user prefs page should say that I can
bless any, if that's the truth. Secondly, I think we should therefore eliminate
the editusers group in favour of just checking all the boxes for a particular user.

is this still a security issue, if it's working as designed?

Gerv
Attached patch UI change (obsolete) — Splinter Review 
OK, this replaces the list of groups in the prefs UI with a statement that the
user can edit all the users anyway.
You should be getting the editusers value from either the user.groups object or
(better) UserInGroup("editbugs"), for consistency and understandability.

Gerv
Not a security bug, just confusing UI.
Group: webtools-security
Comment on attachment 105692 [details] [diff] [review]
UI change

r=justdave
a=justdave

IF you remove the QA contact stuff from this patch before checking in.	That's
a different bug.
Attachment #105692 - Flags: review+
Attached patch Cleaner patchSplinter Review 
Right.
Attachment #105692 - Attachment is obsolete: true
Comment on attachment 105693 [details] [diff] [review]
Cleaner patch

r=justdave
Attachment #105693 - Flags: review+
Checking in permissions.html.tmpl;                            2,13          All
/cvsroot/mozilla/webtools/bugzilla/template/en/default/account/prefs/permissions
.html.tmpl,v  <--  permissions.html.tmpl
new revision: 1.4; previous revision: 1.3
done
Status: NEW → RESOLVED
Closed: 22 years ago
Resolution: --- → FIXED
Target Milestone: --- → Bugzilla 2.18
QA Contact: matty_is_a_geek → default-qa
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: