Closed Bug 143232 Opened 23 years ago Closed 18 years ago

Random user can assign public bugs to own group

Categories

(Bugzilla :: Creating/Changing Bugs, enhancement, P1)

Product:
Bugzilla
Component:
Creating/Changing Bugs
Version:
2.15
Type:
enhancement

Tracking

()

Status:
RESOLVED WONTFIX

People

(Reporter: andy.riebs, Unassigned)

Details

If a member of Group A creates a bug report, and leaves the bug public, a member of Group B can subsequently assign the bug to Group B! I *think* the attached patch handles the problem correctly. (It might be preferable to call CheckCanChangeField(), but that would reveal the existing value of groupset to the errant user.) --- process_bug.cgi-OLD Wed May 8 08:10:53 2002 +++ process_bug.cgi Wed May 8 17:30:09 2002 @@ -226,6 +226,22 @@ my $reporterid; my $qacontactid; +sub CheckCanChangeGroupset { + my ($userid, $bugid) = @_; + if (UserInGroup("editbugs")) { + return 1; + } + SendSQL("SELECT reporter, assigned_to, qa_contact FROM bugs " . + "WHERE bug_id = $bugid"); + ($reporterid, $ownerid, $qacontactid) = (FetchSQLData()); + if (($userid == $reporterid) + || ($userid == $ownerid) + || ($userid == $qacontactid)) { + return 1; + } + return 0; +} + sub CheckCanChangeField { my ($f, $bugid, $oldvalue, $newvalue) = (@_); if ($f eq "assigned_to" || $f eq "reporter" || $f eq "qa_contact") { @@ -459,7 +475,8 @@ } } } - if ($groupAdd ne "0" || $groupDel ne "0") { + if (($groupAdd ne "0" || $groupDel ne "0") + && CheckCanChangeGroupset($::userid, $::FORM{'id'})) { DoComma(); # mysql < 3.23.5 doesn't support the ~ operator, even though # the docs say that it does
Priority: -- → P1
Hmmm... my patch allows a member of a group to assign their own bug to their own group after it's been entered, but it doesn't let them turn it public again. Also, there should be a ThrowUserError() in there. (And the patch looked *so* good when I entered this bug report.)
This is a bit of a gray area... This might be better helped by the more finely grained security system down the line about who's allowed to change what....
I don't see that helping ... this behaviour is by design. I don't see the proposed solution here as being something installations would want to stick to. In practice that would be a bigger problem than the one trying to be solved. We could implement some sort of restrictions on placing restrictions, but this is not critical by any means.
Severity: critical → enhancement
Target Milestone: --- → Future
QA Contact: mattyt-bugzilla → default-qa
Target Milestone: Future → ---
Assignee: myk → create-and-change
Yes, this is by design. If you have the right to restrict a bug to a group...then you have that right.
Status: NEW → RESOLVED
Closed: 18 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.