restrict the ability for users with editusers/creategroups to alter admins and the admin group

RESOLVED FIXED

Status

()

bugzilla.mozilla.org
General
P1
normal
RESOLVED FIXED
2 years ago
2 years ago

People

(Reporter: glob, Assigned: glob)

Tracking

(Blocks: 2 bugs)

Production
Dependency tree / graph

Details

Attachments

(1 attachment, 1 obsolete attachment)

(Assignee)

Description

2 years ago
we need to provide tighter restrictions around the admin group:
- ensure only admins can edit other admins
- ensure only admins can edit the admin group
  - editing it directly
  - moving it into or out of other groups
(Assignee)

Comment 1

2 years ago
Created attachment 8650525 [details] [diff] [review]
1196614_1.patch

- require admin access to edit admin users, even if you are in editbugs
- likewise you need core-security membership to edit core-security users
- prevent non-admins from editing the admin group, or moving that group into or out of other groups
- and again for core-security
Attachment #8650525 - Flags: review?(dkl)
What about the other security groups? core-security is not the only one.
(Assignee)

Comment 3

2 years ago
(In reply to Reed Loden [:reed] (use needinfo?) from comment #2)
> What about the other security groups? core-security is not the only one.

right now the focus is on the two most important groups - admin and the insider group.

if required we can extend this to other groups later.
Comment on attachment 8650525 [details] [diff] [review]
1196614_1.patch

Review of attachment 8650525 [details] [diff] [review]:
-----------------------------------------------------------------

This looks good and does what is described. I would rather see the restricted group list be in Constants.pm so that as we add more later we have main work done already. I tweaked the patch which I will upload after this and if you like it, you can switch it out. Otherwise feel free to go with this in the meantime. r=dkl
Attachment #8650525 - Flags: review?(dkl) → review+
Created attachment 8651266 [details] [diff] [review]
1196614_dkl.patch
(Assignee)

Comment 6

2 years ago
Comment on attachment 8651266 [details] [diff] [review]
1196614_dkl.patch

i did think of this, but it needs to be admin ui controlled using group inheritance.  we can expand the scope of this in a later bug.
Attachment #8651266 - Attachment is obsolete: true
Attachment #8651266 - Flags: review-
(Assignee)

Updated

2 years ago
Blocks: 1197678
(Assignee)

Comment 7

2 years ago
To ssh://gitolite3@git.mozilla.org/webtools/bmo/bugzilla.git
   4cc64c9..0b05719  master -> master

i've filed bug 1197678 for the followup work.
Status: NEW → RESOLVED
Last Resolved: 2 years ago
Resolution: --- → FIXED
(Assignee)

Updated

2 years ago
Group: bugzilla-security
You need to log in before you can comment on or make changes to this bug.