Open Bug 240904 Opened 20 years ago Updated 2 years ago

When logged in twice to the same installation, it is possible to submit a page as the wrong user, accidentally

Categories

(Bugzilla :: Bugzilla-General, defect, P4)

Product:
Bugzilla
Component:
Bugzilla-General
Version:
2.17.6
Type:
defect

Tracking

()

People

(Reporter: timeless, Unassigned)

Details

I'm not sure if i consider this a bug or a feature.

accout pref pages don't send the name of the account whose prefs are being saved.

steps to reproduce:
1. create 2 or more accounts at your favorite bugzilla installation (might i
suggest landfill?)
2. login as user 1.
3. go to preferences and change who you're watching (don't submit)
4. open a new window and go back to your favorite bugzilla installation
5. do a search and realize you need to be logged in as user 2.
6. logout
7. click "Log in" in the footer (don't rely on the silly log in again item, it's
confusing and should go away)
8. do your search
9. go get some coffee
10. go back to the first window and finish your change
11. click submit (don't do this on something other than landfill unless you've
backed up your settings)

actual results:
this means that if i change auth credentials in one window and submit a pref
change in another window, i've instantly hosed one set of prefs and imported
another set.

expected results:
a warning if my account name or user id don't match the current credentials.
include a bookmarkable link to restore credentials (such a link should not
include a user id/name, clicking it should result in the same warning) to their
current settings.

bonus points for including a bookmarkable link to the new settings (again, don't
include the user id/name).
We could always include the userid as a hidden field in the form, and if it
doesn't match the cookie, then complain.
my thoughts exactly :)
QA Contact: mattyt-bugzilla → default-qa
I say confirm, with two modifications.

This problem can happen anywhere, such as when editing bugs.  Also, I'd suggest
throwing an error, along the lines of "the page you submitted was sent to user
***, but you are currently logged in as ***."
Yeah, we should just warn the user somehow. It's not a common-enough scenario to
create a whole complex feature around.
Assignee: myk → general
Severity: normal → minor
Status: UNCONFIRMED → NEW
Component: Bug Import/Export & Moving → Bugzilla-General
Ever confirmed: true
OS: Windows 2000 → All
Priority: -- → P4
Hardware: PC → All
Summary: pref panels should include enough info to warn users if they're bleeding account info → When logged in twice to the same installation, it is possible to submit a page as the wrong user, accidentally

Does this still happen?

You need to log in before you can comment on or make changes to this bug.