Blessing doesn't work right

RESOLVED FIXED in Bugzilla 2.18



User Accounts
15 years ago
5 years ago


(Reporter: gerv, Assigned: myk)


Bugzilla 2.18



(1 attachment, 1 obsolete attachment)

912 bytes, patch
: review+
Details | Diff | Splinter Review


15 years ago
According to userprefs.cgi, I can bless only canconfirm and editbugs. However, I
just tested, and I can bless other groups as well. This could be because I've
got a fair number of admin privs - so either the userprefs should notice and say
"You can bless anyone", or blessing is broken.


Comment 1

15 years ago
This could be a security bug.  Securing until someone figures it out.
Group: webtools-security


15 years ago
Blocks: 179176
myk, what does:

SELECT user_group_map.* FROM user_group_map, profiles WHERE
user_group_map.user_id = profiles.user_id AND profiles.login_name =


What permissions does your editusers page claim that you have?

Comment 3

15 years ago
My editusers page says that I am a member of every group going except "security"
(Mozilla security) and "Inactive Bugs". It says I can bless canconfirm and editbugs.

My user preferences permissions page says:

 You have the following permission bits set on your account:

canconfirm Can confirm a bug.
creategroups Can create and destroy groups.
editbugs Can edit all aspects of any bug.
editcomponents Can create, destroy, and edit components.
editkeywords Can create, destroy, and edit keywords.
editusers Can edit or disable users
inactivebugs Inactive Bugs
mozillaorgconfidential Confidential
netscapeconfidential Netscape Confidential
tweakparams Can tweak operating parameters
webtools-security Webtools Security-Sensitive Bug

And you can turn on or off the following bits for other users:

canconfirm Can confirm a bug.
editbugs Can edit all aspects of any bug.

I can add bbaetz to, and remove him from, and allow him to bless, and stop him
blessing, the following sample groups: editusers (of which I am a member),
inactive bugs (of which I am not a member) and mozillaorgconfidential.


Comment 4

15 years ago
Anyone with editusers can bless anything, correct?

Was Gerv previosuly not in editusers?


Comment 5

15 years ago
No, I've always been in editusers. But I don't think having the editusers
privilege should mean anyone can do anything - you need editusers just to _see_
the editusers page; surely, then, it should present you with only the options
you are allowed to change? Otherwise the whole concept of blessing falls apart.


Comment 6

15 years ago

This is exactly the way that 2.16 works.

editusers makes blessgroupset irrelevent.

Comment 7

15 years ago

See bug 145849
Blessers are permitted to see the user edit.
Editusers means you can bless anything.


Comment 8

15 years ago
So editusers is equivalent to a person being given all the bless bits? 

There's two things here. Firstly, the user prefs page should say that I can
bless any, if that's the truth. Secondly, I think we should therefore eliminate
the editusers group in favour of just checking all the boxes for a particular user.

is this still a security issue, if it's working as designed?


Comment 9

15 years ago
Created attachment 105692 [details] [diff] [review]
UI change

OK, this replaces the list of groups in the prefs UI with a statement that the
user can edit all the users anyway.

Comment 10

15 years ago
You should be getting the editusers value from either the user.groups object or
(better) UserInGroup("editbugs"), for consistency and understandability.

Not a security bug, just confusing UI.
Group: webtools-security
Comment on attachment 105692 [details] [diff] [review]
UI change


IF you remove the QA contact stuff from this patch before checking in.	That's
a different bug.
Attachment #105692 - Flags: review+

Comment 13

15 years ago
Created attachment 105693 [details] [diff] [review]
Cleaner patch

Attachment #105692 - Attachment is obsolete: true
Comment on attachment 105693 [details] [diff] [review]
Cleaner patch

Attachment #105693 - Flags: review+

Comment 15

15 years ago
Checking in permissions.html.tmpl;                            2,13          All
.html.tmpl,v  <--  permissions.html.tmpl
new revision: 1.4; previous revision: 1.3
Last Resolved: 15 years ago
Resolution: --- → FIXED
Target Milestone: --- → Bugzilla 2.18
QA Contact: matty_is_a_geek → default-qa
You need to log in before you can comment on or make changes to this bug.