Editusers.cgi?action=edit unclear about user's pemission to edit other users




14 years ago
6 years ago


(Reporter: Bob Meyers, Assigned: justdave)






14 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.3) Gecko/20040910
Build Identifier: All; problem on server side

In editusers.cgi, and when logged in as a user with permission to change group
membership bits (and not permission to edit users), an attempt to edit users is
not foiled until "update", when a cryptic error message says that a user name
with a valid email address must be entered. ("But I didn't change that!", or
"But that's not a text box! I can't change it!" are my first impulsive
responses.) The user should either be told "You need the editusers permission to
do this", or they should be allow to edit group memberships for users (which is
as much editing groups as it is users). They are probably rightly puzzled when
they attempt to change group memberships and are told that they didn't enter a
valid email address when it appears perfectly on their screen, it came straight
from the database, and it wasn't changed by the user at all.

Reproducible: Always
Steps to Reproduce:
1. Login to Bugzilla as an admin (with full permissions).
2. Create a new user.
3. Give the user the permission to create and destroy groups.
4. Give the user the permission to set/clear bits indicating membership in
$GROUP for other users.
5. Do NOT give the user the permission to edit users.
6. Login as that user and go to the editusers.cgi?action=list page, and click
any user. You will be on the ?action=edit page.
7. Make changes to any group bit for the user, and hit "Update". This will take
you to the ?action=update page.
Actual Results:  
"The user name entered must be a valid e-mail address. Please press Back and try
again." appears on the editparams.cgi?action=update page. Note that no changes
were made to the user name in the steps to reproduce above. Sub EmitElement($$)
in editusers.cgi only sends the user name (et. al) to the browser in text format
if the editusers permission is not detected by a true value in the $EditAll
variable. This prevents any update to the group membership bits, since no hidden
input field is generated for the user name. The reason for the "invalid email"
error is the absence of an HTML input tag (which can easily be added
client-side, so this is not ).

Expected Results:  
I would expect that, if my permissions are set incorrectly, that the message
should be indicative of such. If the permissions "editgroups" and "set $GROUP
bit for other users" are sufficient to make the change, the change should be

Workaround: Set the editusers permission for the user. This will allow them to
do whatever they wish to other users, though this is not recommended in general
in the 2.16 documentation.

Comment 1

14 years ago
Added 2.16.7, the version of default installation in which phenomenon was observed.

Also observed in default install of 2.16.6 Bugzilla.

Version: unspecified → 2.16.7

*** This bug has been marked as a duplicate of 253088 ***
Last Resolved: 14 years ago
Resolution: --- → DUPLICATE
QA Contact: matty_is_a_geek → default-qa
You need to log in before you can comment on or make changes to this bug.