Closed
Bug 502846
Opened 15 years ago
Closed 15 years ago
Authenticated Users with no roles are able to revise Events on QMO
Categories
(quality.mozilla.org :: Website, defect)
quality.mozilla.org
Website
Tracking
(Not tracked)
VERIFIED
INVALID
People
(Reporter: aakashd, Unassigned)
Details
Sam pointed this out to me, but if you look at the following link: http://quality.mozilla.org/node/440/revisions Users ricmacas and atokubi, both support users, were either able to revise the event even though they don't have any roles set up to allow such permissions. Tomcat believes this has something to do with the last two security updates we did as well as possibly they were participants of the event.
Comment 2•15 years ago
|
||
(In reply to comment #0) > Users ricmacas and atokubi, both support users, were either able to revise the > event even though they don't have any roles set up to allow such permissions. > > Tomcat believes this has something to do with the last two security updates we > did as well as possibly they were participants of the event. well i said : 09:13 <@Tomcat> well this was before we fixed 2 security bugs :) i think this has more to do with the fact that this guys are on the list of attendance for the event. According to the Permissions they should not be able to change the content, but somehow they do :/
Reporter | ||
Comment 3•15 years ago
|
||
Ok, just tried test accounts on on production and staging and neither of them were able to edit the event after putting themselves as participants of those events. I'm not sure where else to go with this.
Comment 4•15 years ago
|
||
My initial assumption is that the names were entered by someone who had permissions. I believe I can put someone else as an author even though I am editing the document. So if we cannot reproduce this, that's probably why. However, to properly test, if this doesn't get solved quick, maybe we could try installing http://drupal.org/project/masquerade to switch users and see if they really do have permissions. Alternatively, we could ask them (might be quicker)
Comment 5•15 years ago
|
||
(In reply to comment #4) > However, to properly test, if this doesn't get solved quick, maybe we could try > installing > http://drupal.org/project/masquerade > to switch users and see if they really do have permissions. Alternatively, we > could ask them (might be quicker) We may be able to do this with Devel module. Testing now on stage.
Comment 6•15 years ago
|
||
yes, I'm similarly stumped. The first thing I checked was the permissions and the roles those users have (none). Nothing stands out. For the record, I don't see atokubi in the revisions list. I created a test account named 'buchanae-normal' and logged in, then joined the event. After logging back in as an admin, I see 'buchanae-normal' now owns the current revision. http://www.grabup.com/uploads/4ae80f7ddb9798e7a6bd5c67245dc8e6.png Odd.... Sounds like Drupal fail. Not sure it's a critical security issue, as I couldn't edit the post as 'buchanae-normal'
Comment 7•15 years ago
|
||
Okay, so I switched to sammybahamas and couldn't edit the event. It's probably like Alex said, a "naming" issue rather than permissions. Odd, though. Is it worth filing a Drupal bug, Alex?
Reporter | ||
Comment 8•15 years ago
|
||
Yeah, it's not a critical security bug. I'm going to move the bug to normal due to this discussion and setting some of these comments as private. You guys can remove the private setting as you see fit. Tomcat, move it out of private status :).
Reporter | ||
Updated•15 years ago
|
Severity: critical → normal
Comment 9•15 years ago
|
||
(In reply to comment #7) > Okay, so I switched to sammybahamas and couldn't edit the event. It's probably > like Alex said, a "naming" issue rather than permissions. Odd, though. Is it > worth filing a Drupal bug, Alex? I don't know for sure that it's a Drupal core bug, so I'm not sure what you would file it under. It could stem from the QMO's setup. You could ask in the Drupal forums or IRC also.
Updated•15 years ago
|
Group: websites-security
Comment 10•15 years ago
|
||
(In reply to comment #6) > I created a test account named 'buchanae-normal' and logged in, then joined the > event. After logging back in as an admin, I see 'buchanae-normal' now owns the > current revision. > > http://www.grabup.com/uploads/4ae80f7ddb9798e7a6bd5c67245dc8e6.png > > Odd.... Sounds like Drupal fail. Not sure it's a critical security issue, as I > couldn't edit the post as 'buchanae-normal' Per Alex's comment.
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → INVALID
You need to log in
before you can comment on or make changes to this bug.
Description
•