Last Comment Bug 1196614 - restrict the ability for users with editusers/creategroups to alter admins and the admin group
: restrict the ability for users with editusers/creategroups to alter admins an...
Status: RESOLVED FIXED
:
Product: bugzilla.mozilla.org
Classification: Other
Component: General (show other bugs)
: Production
: Unspecified Unspecified
P1 normal (vote)
: ---
Assigned To: Byron Jones ‹:glob›
:
:
Mentors:
Depends on:
Blocks: 1193827 1197678
  Show dependency treegraph
 
Reported: 2015-08-19 20:33 PDT by Byron Jones ‹:glob›
Modified: 2015-08-24 22:32 PDT (History)
5 users (show)
See Also:
Due Date:
QA Whiteboard:
Iteration: ---
Points: ---


Attachments
1196614_1.patch (5.63 KB, patch)
2015-08-20 09:27 PDT, Byron Jones ‹:glob›
dkl: review+
Details | Diff | Splinter Review
1196614_dkl.patch (6.26 KB, patch)
2015-08-21 15:15 PDT, David Lawrence [:dkl]
glob: review-
Details | Diff | Splinter Review

Description User image Byron Jones ‹:glob› 2015-08-19 20:33:39 PDT
we need to provide tighter restrictions around the admin group:
- ensure only admins can edit other admins
- ensure only admins can edit the admin group
  - editing it directly
  - moving it into or out of other groups
Comment 1 User image Byron Jones ‹:glob› 2015-08-20 09:27:22 PDT
Created attachment 8650525 [details] [diff] [review]
1196614_1.patch

- require admin access to edit admin users, even if you are in editbugs
- likewise you need core-security membership to edit core-security users
- prevent non-admins from editing the admin group, or moving that group into or out of other groups
- and again for core-security
Comment 2 User image Reed Loden [:reed] (use needinfo?) 2015-08-20 09:56:15 PDT
What about the other security groups? core-security is not the only one.
Comment 3 User image Byron Jones ‹:glob› 2015-08-20 09:59:47 PDT
(In reply to Reed Loden [:reed] (use needinfo?) from comment #2)
> What about the other security groups? core-security is not the only one.

right now the focus is on the two most important groups - admin and the insider group.

if required we can extend this to other groups later.
Comment 4 User image David Lawrence [:dkl] 2015-08-21 15:14:15 PDT
Comment on attachment 8650525 [details] [diff] [review]
1196614_1.patch

Review of attachment 8650525 [details] [diff] [review]:
-----------------------------------------------------------------

This looks good and does what is described. I would rather see the restricted group list be in Constants.pm so that as we add more later we have main work done already. I tweaked the patch which I will upload after this and if you like it, you can switch it out. Otherwise feel free to go with this in the meantime. r=dkl
Comment 5 User image David Lawrence [:dkl] 2015-08-21 15:15:41 PDT
Created attachment 8651266 [details] [diff] [review]
1196614_dkl.patch
Comment 6 User image Byron Jones ‹:glob› 2015-08-23 20:56:48 PDT
Comment on attachment 8651266 [details] [diff] [review]
1196614_dkl.patch

i did think of this, but it needs to be admin ui controlled using group inheritance.  we can expand the scope of this in a later bug.
Comment 7 User image Byron Jones ‹:glob› 2015-08-23 22:31:11 PDT
To ssh://gitolite3@git.mozilla.org/webtools/bmo/bugzilla.git
   4cc64c9..0b05719  master -> master

i've filed bug 1197678 for the followup work.

Note You need to log in before you can comment on or make changes to this bug.