Closed Bug 328360 Opened 19 years ago Closed 19 years ago

Adding someone to a CC list bypasses view restrictions because the default for grouped bugs explicitly indicates that it will

Categories

(Bugzilla :: User Interface, enhancement)

Product:
Bugzilla
Component:
User Interface
Platform:
x86
Linux
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 309681

People

(Reporter: hacksaw, Unassigned)

Details

User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.7.8) Gecko/20050524 Fedora/1.0.4-4 Firefox/1.0.4 Build Identifier: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.7.8) Gecko/20050524 Fedora/1.0.4-4 Firefox/1.0.4 I have a bug set with a group restriction, i.e. you have to be a member of the group to see the bug. If a non-privileged user is added to the CC-list, suddenly they can see the bug. I see now that there is a checkbox for CC group. It's small and easy to miss. I did. It should be off be default, or there should be a parameter to set it's default state. In fact, there should also be a parameter as to whether it's allowed, since it's a social engineering security hole. Reproducible: Always Steps to Reproduce: 1. Create bug with access restriction 2. Check to see that user not in the appropriate group can't see the bug 3. Add that user to the CC list. 4. Now the non-privileged user can see the bug. Actual Results: User could see the bug despite not being in the access group and the bug having the restriction. Expected Results: The restrictions shouldn't have automatic backdoors. It should be possible to set up a restriction list, and know that no one can work around it.
i'm not sure what you want. but we aren't the os, and we don't control the video display. anyone who can open the bug can save the bugview and send it to anyone they can email. now you might have a system for preventing them from doing that, but i certainly don't know of one. please include your bugzilla version when filing bugs against bugzilla. now we could certainly make it a param to control the default behavior ofr those checkboxes, w/ one option even being not to allow people to choose to let cc's or similar see bugs. but that's not technically going to give you what you claim to want (per expected results). (i'm not sure if this is UI or Admin, probably eventually admin, but i'm bumping it around for fun.)
Assignee: general → ui
Component: Bugzilla-General → User Interface
Summary: Adding someone to a CC list bypasses view restrictions → Adding someone to a CC list bypasses view restrictions because the default for grouped bugs explciitly indicates that it will
*** This bug has been marked as a duplicate of 309681 ***
Status: UNCONFIRMED → RESOLVED
Closed: 19 years ago
Resolution: --- → DUPLICATE
Summary: Adding someone to a CC list bypasses view restrictions because the default for grouped bugs explciitly indicates that it will → Adding someone to a CC list bypasses view restrictions because the default for grouped bugs explicitly indicates that it will
You need to log in before you can comment on or make changes to this bug.