User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.3) Gecko/20040910 Build Identifier: All; problem on server side In editusers.cgi, and when logged in as a user with permission to change group membership bits (and not permission to edit users), an attempt to edit users is not foiled until "update", when a cryptic error message says that a user name with a valid email address must be entered. ("But I didn't change that!", or "But that's not a text box! I can't change it!" are my first impulsive responses.) The user should either be told "You need the editusers permission to do this", or they should be allow to edit group memberships for users (which is as much editing groups as it is users). They are probably rightly puzzled when they attempt to change group memberships and are told that they didn't enter a valid email address when it appears perfectly on their screen, it came straight from the database, and it wasn't changed by the user at all. Reproducible: Always Steps to Reproduce: 1. Login to Bugzilla as an admin (with full permissions). 2. Create a new user. 3. Give the user the permission to create and destroy groups. 4. Give the user the permission to set/clear bits indicating membership in $GROUP for other users. 5. Do NOT give the user the permission to edit users. 6. Login as that user and go to the editusers.cgi?action=list page, and click any user. You will be on the ?action=edit page. 7. Make changes to any group bit for the user, and hit "Update". This will take you to the ?action=update page. Actual Results: "The user name entered must be a valid e-mail address. Please press Back and try again." appears on the editparams.cgi?action=update page. Note that no changes were made to the user name in the steps to reproduce above. Sub EmitElement($$) in editusers.cgi only sends the user name (et. al) to the browser in text format if the editusers permission is not detected by a true value in the $EditAll variable. This prevents any update to the group membership bits, since no hidden input field is generated for the user name. The reason for the "invalid email" error is the absence of an HTML input tag (which can easily be added client-side, so this is not ). Expected Results: I would expect that, if my permissions are set incorrectly, that the message should be indicative of such. If the permissions "editgroups" and "set $GROUP bit for other users" are sufficient to make the change, the change should be effected. Workaround: Set the editusers permission for the user. This will allow them to do whatever they wish to other users, though this is not recommended in general in the 2.16 documentation.
Added 2.16.7, the version of default installation in which phenomenon was observed. Also observed in default install of 2.16.6 Bugzilla.
Version: unspecified → 2.16.7
*** This bug has been marked as a duplicate of 253088 ***
Status: UNCONFIRMED → RESOLVED
Last Resolved: 14 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.