Closed
Bug 271596
Opened 20 years ago
Closed 19 years ago
editcomponents priv allows you to see/edit products you don't have access to
Categories
(Bugzilla :: User Interface, defect)
Tracking
()
RESOLVED
FIXED
Bugzilla 2.22
People
(Reporter: timeless, Assigned: LpSolit)
References
()
Details
Attachments
(1 file, 1 obsolete file)
11.29 KB,
patch
|
wicked
:
review+
|
Details | Diff | Splinter Review |
Access Denied You do not have the permissions necessary to access that product. -- That's kinda funny, since I can load: https://bugzilla.mozilla.org/editcomponents.cgi?product=Talkback and read the list there.
Assignee | ||
Updated•20 years ago
|
Assignee: myk → LpSolit
OS: Windows XP → All
Hardware: PC → All
Assignee | ||
Comment 1•20 years ago
|
||
Attachment #172159 -
Flags: review?
Assignee | ||
Updated•20 years ago
|
Status: NEW → ASSIGNED
Updated•20 years ago
|
Attachment #172159 -
Flags: review? → review+
Assignee | ||
Updated•20 years ago
|
Flags: approval?
Target Milestone: --- → Bugzilla 2.20
Comment 2•20 years ago
|
||
The correct fix for this situation is to prevent the person with editcomponents from being able to see/edit products that they don't have access to in editproducts.cgi. Or better yet, a product-level editcomponents priv. There are things on b.m.o that timeless shouldn't be able to see (despite his ability to know where the places are that he can't get to) I'm not outright WONTFIXing this, because it might make sense for the global editcomponents priv once we have product-level editcomponents that we can hand out. But there's no way I'm going to allow this to land prior to that.
Flags: approval? → approval-
Target Milestone: Bugzilla 2.20 → Future
i don't see the problem, when you rework editcomponents to be per product, you'd just rework one more cgi. either the priv disappears globally in which case you remove it from one more script, or it's supplemented by a new permission which is per product and would need to be applied to this script too in about the same place as the current bit. the fact is that this really only applies to me anyway :), and it's really just a convenience, i can just as easily get the info i want from editcomponents.
Comment 4•20 years ago
|
||
ok, we discussed this on IRC... we're going to fix editcomponents so unless you're a member of group 'admin', 'editcomponents' only lets you edit products you can otherwise see anyway.
Flags: approval-
Target Milestone: Future → Bugzilla 2.20
Comment 5•20 years ago
|
||
Comment on attachment 172159 [details] [diff] [review] allow users in the editcomponents group to view all products, v1 review- per previous discussion
Attachment #172159 -
Flags: review-
Assignee | ||
Updated•20 years ago
|
Target Milestone: Bugzilla 2.20 → Bugzilla 2.22
Updated•20 years ago
|
Summary: editcomponents priv should clobber groupset for describecomponents → editcomponents priv allows you to see/edit products you don't have access to
Comment 6•20 years ago
|
||
*** Bug 294604 has been marked as a duplicate of this bug. ***
Comment 7•20 years ago
|
||
Is there any chance that this fix can also land on 2.18.2? For us it would be quite important that 'admins' of a product can edit all aspects of their own product but not those of all others. I would even see that as a security-blocker...
Assignee | ||
Updated•19 years ago
|
Assignee | ||
Comment 8•19 years ago
|
||
I won't backport this patch for 2.18 or even 2.20 as it implies a lot of new code and files which do not exist for earlier versions, mainly Product.pm. Note to self: when bug 293524 is fixed, the single remaining place to fix will be editflagtypes.cgi (the list of products available for flag inclusions and exclusions).
Assignee | ||
Comment 9•19 years ago
|
||
(In reply to comment #4) > ok, we discussed this on IRC... we're going to fix editcomponents so unless > you're a member of group 'admin', 'editcomponents' only lets you edit products > you can otherwise see anyway. editcomponents.cgi is not the only one file involved in the discussion. editversions.cgi, editmilestones.cgi, editproducts.cgi and editclassifications.cgi should also be considered. But I'm not sure hiding products I'm not allowed to see is the right solution as I could create a product which has the same name as an existing product (for editproducts.cgi). Better would be to display product names, but forbid to edit/get any information on them. comments?
Comment 10•19 years ago
|
||
How about if we only allow admins to create new products, or add a separate priv for that? And then not let someone who can't see all products create new ones? What we really need here is product-specific admin rights, but that's definitely a new feature.
Assignee | ||
Comment 11•19 years ago
|
||
*** Bug 315068 has been marked as a duplicate of this bug. ***
Assignee | ||
Updated•19 years ago
|
Flags: blocking2.22?
Comment 12•19 years ago
|
||
Bug #315068 What I had in mind, was that a "global" admin or even "(global) Edit component" right was used to create the product initially. Then a "local" Edit component right was granted to one of the persons, which is member of the current product. Then they will be able to maintain their own product without the need of any global admin rights and they will not be able to access any products that they dont have permission to currently.
Reporter | ||
Comment 13•19 years ago
|
||
Again, at bmo i'm likely to be allowed to create new products, so your restriction is going ot hurt things a lot more than it's going ot help. do it the other way.
Assignee | ||
Comment 14•19 years ago
|
||
Only allows the user to edit properties of a product (including its versions, milestones and components) he is allowed to see. Per discussion with justdave on IRC, the user is trustable enough to let him know if a product he is not allowed to edit exists or not (because he could guess it anyway when creating or renaming a product to an existing name). editclassifications.cgi uses 'editclassifications' privs and so doesn't need to be considered here. And editflagtypes.cgi will be fixed separately... (17:39:05) LpSolit: justdave: if a flag type is applied to a product you cannot see, I suppose editflagtypes.cgi should not allow you to edit/rename/delete this flag type? (17:39:33) justdave: you know, this is really a huge can of worms (17:39:40) LpSolit: yes I know (17:39:41) justdave: make joel do it ;) (17:39:44) LpSolit: :-D (17:39:51) LpSolit: can I split this bug then? (17:40:00) justdave: yeah, go for it
Attachment #172159 -
Attachment is obsolete: true
Attachment #203817 -
Flags: review?(wicked)
Comment 15•19 years ago
|
||
Please make sure that the "you cannot see all components unless you are in 'admin'" is documented somewhere. :-)
Assignee | ||
Comment 16•19 years ago
|
||
(In reply to comment #15) > Please make sure that the "you cannot see all components unless you are in > 'admin'" is documented somewhere. :-) Actually, this comment is wrong! Depending on how group inheritance is configured, you could be in the 'admin' group but not be allowed to see some products (a good example is our QA installations on landfill ;)).
Whiteboard: [relnote comment 15] → [relnote comment 16]
Updated•19 years ago
|
Attachment #203817 -
Flags: review?(wicked) → review+
Updated•19 years ago
|
Flags: approval?
Updated•19 years ago
|
Flags: approval? → approval+
Assignee | ||
Comment 17•19 years ago
|
||
Checking in editcomponents.cgi; /cvsroot/mozilla/webtools/bugzilla/editcomponents.cgi,v <-- editcomponents.cgi new revision: 1.65; previous revision: 1.64 done Checking in editmilestones.cgi; /cvsroot/mozilla/webtools/bugzilla/editmilestones.cgi,v <-- editmilestones.cgi new revision: 1.47; previous revision: 1.46 done Checking in editproducts.cgi; /cvsroot/mozilla/webtools/bugzilla/editproducts.cgi,v <-- editproducts.cgi new revision: 1.108; previous revision: 1.107 done Checking in editversions.cgi; /cvsroot/mozilla/webtools/bugzilla/editversions.cgi,v <-- editversions.cgi new revision: 1.42; previous revision: 1.41 done Checking in Bugzilla/User.pm; /cvsroot/mozilla/webtools/bugzilla/Bugzilla/User.pm,v <-- User.pm new revision: 1.97; previous revision: 1.96 done Checking in template/en/default/global/user-error.html.tmpl; /cvsroot/mozilla/webtools/bugzilla/template/en/default/global/user-error.html.tmpl,v <-- user-error.html.tmpl new revision: 1.143; previous revision: 1.142 done
Status: ASSIGNED → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED
Comment 18•19 years ago
|
||
Added to the Bugzilla 2.22 Release Notes in bug 322960, including data from comment 16 and the other relevant comments.
Keywords: relnote
Whiteboard: [relnote comment 16]
Updated•12 years ago
|
QA Contact: matty_is_a_geek → default-qa
You need to log in
before you can comment on or make changes to this bug.
Description
•