Users can grant themself admin rights and revoke them from other

VERIFIED INVALID

Status

()

Bugzilla
User Accounts
--
trivial
VERIFIED INVALID
13 years ago
5 years ago

People

(Reporter: jessn, Unassigned)

Tracking

Details

(Reporter)

Description

13 years ago
User-Agent:       Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Build Identifier: 

If you grant "Edit users" to any user, the user will be able to give himself or others admin rights unless he doesn't have these rights himself.

He will also be able to revoke the admin rights from a user, which already have administrator rights.

Reproducible: Always

Steps to Reproduce:
1. Grant "Edit Users" for a normal user.
2. Login as the user you just granted admin rights.
3. Try to let him grant admin rights to himself and others (the user will succeed in doing this).
4. Try letting him revoke admin rights from a current admin user.

Actual Results:  
The user will be able to revoke admin rights from all users and grant admin rights to himself, which will give him full control of the system even that he doesn't have admin rights from the beginning.

Expected Results:  
It should be promptet that the user doesn't have permissions to perform the operation.

The user can even grant himself rights to modify the system parameters and through this way enable anonymous login  (etc) to the bugzilla installation.

When adding a user it should not be possible to add a new user or edit an existing one in a way that gives the added og edited user(s) higher priviliges than the user, who is performing this, have itself.

Comment 1

13 years ago
That's the goal of having editusers privs, specifically to change other users privileges, including admin privs. This is not the kind of privileges you give to untrusted users.
Group: webtools-security
Status: UNCONFIRMED → RESOLVED
Last Resolved: 13 years ago
Resolution: --- → INVALID

Comment 2

13 years ago
It sounds like the real goal here was separating the ability to create users and the ability to edit privileges. If we don't already have an enhancement filed for that, you could file an enhancement request.
Seconding comment 1.
Jess, if you do file a bug for the enhancement mentioned in comment 2, or if you find an already existing bug requesting this enhancement, please be so kind and add a comment here.
Status: RESOLVED → VERIFIED
Severity: major → trivial

Comment 4

12 years ago
*** Bug 357695 has been marked as a duplicate of this bug. ***

Comment 5

12 years ago
(In reply to comment #3)
> Jess, if you do file a bug for the enhancement mentioned in comment 2, or if
> you find an already existing bug requesting this enhancement, please be so kind
> and add a comment here.

That's bug 194686

Updated

5 years ago
Duplicate of this bug: 861410
You need to log in before you can comment on or make changes to this bug.