Closed Bug 125492 Opened 24 years ago Closed 23 years ago

Any group member can change the group security on a bug

Categories

(Bugzilla :: Creating/Changing Bugs, enhancement, P2)

Product:
Bugzilla
Component:
Creating/Changing Bugs
Version:
2.14.1
Platform:
HP
HP-UX
Type:
enhancement

Tracking

()

Status:
RESOLVED DUPLICATE of bug 90477

People

(Reporter: lavasani, Assigned: dkl)

References

Details

The ordinary member of a specific group who hasn't got any premission beside viewing the bug is able to make the bug public. I think this a major security problem in bugzilla.
The approach that bugzilla took as a practical approach. Anyone who can see a bug can copy it and upload it to slashdot or anywhere else. Security bugs are on a trust system, if you don't trust someone to do the right thing, then you shouldn't cc them to the bug. Resolution: CantFix
Status: NEW → RESOLVED
Closed: 24 years ago
Resolution: --- → WONTFIX
Summary: Changing the bug group security → People who can view bugs can make them public
damnit timeless, don't do that, now I have to do my edit all over again.
Status: RESOLVED → REOPENED
Depends on: 68022
Priority: -- → P2
Resolution: WONTFIX → ---
Summary: People who can view bugs can make them public → Any group member can change the group security on a bug
Target Milestone: --- → Bugzilla 2.18
I've often thought about that myself... For mozilla.org this is probably okay, but I can imagine situations with Syndicomm's system where we wouldn't want customers changing groups, so we probably do need an option to lock this down somehow... Making this dependent on the group schema change bug (bug 68022) since there's no point in fixing this until the new schema is there, and we might be able to work it into the new schema.
Assignee: myk → dkl
Status: REOPENED → NEW
Severity: major → enhancement
This isn't really hard to do, but theres no point in doing it before the templatisation of process_bug and show_bug. Does anyone really have a problem with requiring editbugs for this? Requiring editbugs is a false sense of security - a user can easily just print the bug out if they can see it, or copy it onto a piece of paper, or so on. However, its probably the right thing to do. A user can't change the groupset for a group that they are not in, and this is just an extention of that.
Dupe. *** This bug has been marked as a duplicate of 90477 ***
Status: NEW → RESOLVED
Closed: 24 years ago23 years ago
Resolution: --- → DUPLICATE
clearing milestones on DUPLICATE/WONTFIX/WORKSFORME/INVALID bugs (so they'll show up as needing triage if they get reopened)
Target Milestone: Bugzilla 2.18 → ---
QA Contact: matty_is_a_geek → default-qa
You need to log in before you can comment on or make changes to this bug.