According to userprefs.cgi, I can bless only canconfirm and editbugs. However, I just tested, and I can bless other groups as well. This could be because I've got a fair number of admin privs - so either the userprefs should notice and say "You can bless anyone", or blessing is broken. Gerv
This could be a security bug. Securing until someone figures it out.
myk, what does: SELECT user_group_map.* FROM user_group_map, profiles WHERE user_group_map.user_id = profiles.user_id AND profiles.login_name = 'firstname.lastname@example.org' give? What permissions does your editusers page claim that you have?
My editusers page says that I am a member of every group going except "security" (Mozilla security) and "Inactive Bugs". It says I can bless canconfirm and editbugs. My user preferences permissions page says: You have the following permission bits set on your account: canconfirm Can confirm a bug. creategroups Can create and destroy groups. editbugs Can edit all aspects of any bug. editcomponents Can create, destroy, and edit components. editkeywords Can create, destroy, and edit keywords. editusers Can edit or disable users inactivebugs Inactive Bugs mozillaorgconfidential mozilla.org Confidential netscapeconfidential Netscape Confidential tweakparams Can tweak operating parameters webtools-security Webtools Security-Sensitive Bug And you can turn on or off the following bits for other users: canconfirm Can confirm a bug. editbugs Can edit all aspects of any bug. I can add bbaetz to, and remove him from, and allow him to bless, and stop him blessing, the following sample groups: editusers (of which I am a member), inactive bugs (of which I am not a member) and mozillaorgconfidential. Gerv
Anyone with editusers can bless anything, correct? Was Gerv previosuly not in editusers?
No, I've always been in editusers. But I don't think having the editusers privilege should mean anyone can do anything - you need editusers just to _see_ the editusers page; surely, then, it should present you with only the options you are allowed to change? Otherwise the whole concept of blessing falls apart. Gerv
This is exactly the way that 2.16 works. editusers makes blessgroupset irrelevent.
See bug 145849 Blessers are permitted to see the user edit. Editusers means you can bless anything.
So editusers is equivalent to a person being given all the bless bits? There's two things here. Firstly, the user prefs page should say that I can bless any, if that's the truth. Secondly, I think we should therefore eliminate the editusers group in favour of just checking all the boxes for a particular user. is this still a security issue, if it's working as designed? Gerv
Created attachment 105692 [details] [diff] [review] UI change OK, this replaces the list of groups in the prefs UI with a statement that the user can edit all the users anyway.
You should be getting the editusers value from either the user.groups object or (better) UserInGroup("editbugs"), for consistency and understandability. Gerv
Not a security bug, just confusing UI.
Comment on attachment 105692 [details] [diff] [review] UI change r=justdave a=justdave IF you remove the QA contact stuff from this patch before checking in. That's a different bug.
Attachment #105692 - Flags: review+
Created attachment 105693 [details] [diff] [review] Cleaner patch Right.
Attachment #105692 - Attachment is obsolete: true
Comment on attachment 105693 [details] [diff] [review] Cleaner patch r=justdave
Attachment #105693 - Flags: review+
Checking in permissions.html.tmpl; 2,13 All /cvsroot/mozilla/webtools/bugzilla/template/en/default/account/prefs/permissions .html.tmpl,v <-- permissions.html.tmpl new revision: 1.4; previous revision: 1.3 done
Status: NEW → RESOLVED
Last Resolved: 15 years ago
Resolution: --- → FIXED
Target Milestone: --- → Bugzilla 2.18
You need to log in before you can comment on or make changes to this bug.