Closed Bug 1196614 Opened 9 years ago Closed 9 years ago

restrict the ability for users with editusers/creategroups to alter admins and the admin group

Categories

(bugzilla.mozilla.org :: General, defect, P1)

Product:
bugzilla.mozilla.org
Component:
General
Version:
Production
Type:
defect

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: glob, Assigned: glob)

References

(Blocks 2 open bugs)

Details

Attachments

(1 file, 1 obsolete file)

1196614_1.patch
5.63 KB, patch
dkl
: review+
Details | Diff | Splinter Review 
we need to provide tighter restrictions around the admin group:
- ensure only admins can edit other admins
- ensure only admins can edit the admin group
  - editing it directly
  - moving it into or out of other groups
Attached patch 1196614_1.patchSplinter Review 
- require admin access to edit admin users, even if you are in editbugs
- likewise you need core-security membership to edit core-security users
- prevent non-admins from editing the admin group, or moving that group into or out of other groups
- and again for core-security
Attachment #8650525 - Flags: review?(dkl)
What about the other security groups? core-security is not the only one.
(In reply to Reed Loden [:reed] (use needinfo?) from comment #2)
> What about the other security groups? core-security is not the only one.

right now the focus is on the two most important groups - admin and the insider group.

if required we can extend this to other groups later.
Comment on attachment 8650525 [details] [diff] [review]
1196614_1.patch

Review of attachment 8650525 [details] [diff] [review]:
-----------------------------------------------------------------

This looks good and does what is described. I would rather see the restricted group list be in Constants.pm so that as we add more later we have main work done already. I tweaked the patch which I will upload after this and if you like it, you can switch it out. Otherwise feel free to go with this in the meantime. r=dkl
Attachment #8650525 - Flags: review?(dkl) → review+
Attached patch 1196614_dkl.patch (obsolete) — Splinter Review 

    
    

    
  
Comment on attachment 8651266 [details] [diff] [review]
1196614_dkl.patch

i did think of this, but it needs to be admin ui controlled using group inheritance.  we can expand the scope of this in a later bug.

        Attachment #8651266 -
        Attachment is obsolete: true

        Attachment #8651266 -
        Flags: review-

    
  
Blocks: 1197678

    
    

    
  
To ssh://gitolite3@git.mozilla.org/webtools/bmo/bugzilla.git
   4cc64c9..0b05719  master -> master

i've filed bug 1197678 for the followup work.
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED

    
  
Group: bugzilla-security

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: