User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322) Build Identifier: If you grant "Edit users" to any user, the user will be able to give himself or others admin rights unless he doesn't have these rights himself. He will also be able to revoke the admin rights from a user, which already have administrator rights. Reproducible: Always Steps to Reproduce: 1. Grant "Edit Users" for a normal user. 2. Login as the user you just granted admin rights. 3. Try to let him grant admin rights to himself and others (the user will succeed in doing this). 4. Try letting him revoke admin rights from a current admin user. Actual Results: The user will be able to revoke admin rights from all users and grant admin rights to himself, which will give him full control of the system even that he doesn't have admin rights from the beginning. Expected Results: It should be promptet that the user doesn't have permissions to perform the operation. The user can even grant himself rights to modify the system parameters and through this way enable anonymous login (etc) to the bugzilla installation. When adding a user it should not be possible to add a new user or edit an existing one in a way that gives the added og edited user(s) higher priviliges than the user, who is performing this, have itself.
That's the goal of having editusers privs, specifically to change other users privileges, including admin privs. This is not the kind of privileges you give to untrusted users.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 13 years ago
Resolution: --- → INVALID
It sounds like the real goal here was separating the ability to create users and the ability to edit privileges. If we don't already have an enhancement filed for that, you could file an enhancement request.
Seconding comment 1. Jess, if you do file a bug for the enhancement mentioned in comment 2, or if you find an already existing bug requesting this enhancement, please be so kind and add a comment here.
Status: RESOLVED → VERIFIED
*** Bug 357695 has been marked as a duplicate of this bug. ***
(In reply to comment #3) > Jess, if you do file a bug for the enhancement mentioned in comment 2, or if > you find an already existing bug requesting this enhancement, please be so kind > and add a comment here. That's bug 194686
You need to log in before you can comment on or make changes to this bug.