Closed Bug 1196614 Opened 9 years ago Closed 9 years ago

restrict the ability for users with editusers/creategroups to alter admins and the admin group

Categories

(bugzilla.mozilla.org :: General, defect, P1)

Product:
bugzilla.mozilla.org
Component:
General
Version:
Production
Type:
defect

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: glob, Assigned: glob)

References

(Blocks 2 open bugs)

Details

Attachments

(1 file, 1 obsolete file)

1196614_1.patch
5.63 KB, patch
dkl
: review+
Details | Diff | Splinter Review
we need to provide tighter restrictions around the admin group: - ensure only admins can edit other admins - ensure only admins can edit the admin group - editing it directly - moving it into or out of other groups
Attached patch 1196614_1.patchSplinter Review
- require admin access to edit admin users, even if you are in editbugs - likewise you need core-security membership to edit core-security users - prevent non-admins from editing the admin group, or moving that group into or out of other groups - and again for core-security
Attachment #8650525 - Flags: review?(dkl)
What about the other security groups? core-security is not the only one.
(In reply to Reed Loden [:reed] (use needinfo?) from comment #2) > What about the other security groups? core-security is not the only one. right now the focus is on the two most important groups - admin and the insider group. if required we can extend this to other groups later.
Comment on attachment 8650525 [details] [diff] [review] 1196614_1.patch Review of attachment 8650525 [details] [diff] [review]: ----------------------------------------------------------------- This looks good and does what is described. I would rather see the restricted group list be in Constants.pm so that as we add more later we have main work done already. I tweaked the patch which I will upload after this and if you like it, you can switch it out. Otherwise feel free to go with this in the meantime. r=dkl
Attachment #8650525 - Flags: review?(dkl) → review+
Attached patch 1196614_dkl.patch (obsolete) — Splinter Review
Comment on attachment 8651266 [details] [diff] [review] 1196614_dkl.patch i did think of this, but it needs to be admin ui controlled using group inheritance. we can expand the scope of this in a later bug.
Attachment #8651266 - Attachment is obsolete: true
Attachment #8651266 - Flags: review-
Blocks: 1197678
To ssh://gitolite3@git.mozilla.org/webtools/bmo/bugzilla.git 4cc64c9..0b05719 master -> master i've filed bug 1197678 for the followup work.
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Group: bugzilla-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: