Can clear a flag by way of switching the product back and forth

RESOLVED DUPLICATE of bug 261995

Status

()

Bugzilla
Attachments & Requests
RESOLVED DUPLICATE of bug 261995
11 years ago
11 years ago

People

(Reporter: Wurblzap, Unassigned)

Tracking

Details

(Reporter)

Description

11 years ago
Even if I don't have permission to, I can clear a flag by way of moving the bug into a product where the flag does not apply and moving it back into the product where it came from. Happened on b.m.o bug 364056 -- this is me assuming I don't have permission to clear blocking3.0 in the Bugzilla product, thus I'm filing this as UNCONFIRMED.

See bug 286160, comment 1.

I'm not really sure this is a sec bug, but better safe than sorry.

Comment 1

11 years ago
That's the desired effect. It's more important to let you move a bug into the right product than to prevent you from clearing a flag. Moreover, you have enough privs to clear the flag anyway as you don't need to be in the grant group of the flag type to remove +/-. This group is here only to limit who can set the flag to +/-, not the opposite.
Group: webtools-security
Status: UNCONFIRMED → RESOLVED
Last Resolved: 11 years ago
Resolution: --- → WONTFIX

Updated

11 years ago
Status: RESOLVED → VERIFIED
Status: VERIFIED → UNCONFIRMED
Resolution: WONTFIX → ---
This is not the desired effect for most developers using BMO, but it does seem to be the opinion of bugzilla developers (see bug 261995, this is basically a dupe of that one).

However, while I may grumble loudly about losing flags without warning or notice for unrestricted flags (and I *do* grumble), it is a separate bug that people can get around flag-setting permissions by forcing a product change.

bug 303183 is similar, only dealing with groups instead of flags. If there are restrictions on setting some bit of data then that restriction should also prevent changing other fields that implicitly change the restricted field.

This is a conflict between whether it's more important to categorize a bug properly or keep the flags/groups set properly. Categorization appears important, but given the potential damage from revealing a security exploit or losing track of an important bug for a release (because bugzilla sucks at branch managment) the other data is equally important.
Status: UNCONFIRMED → NEW
Ever confirmed: true

Comment 3

11 years ago
(19:38:10) LpSolit: dveditz: see bug 291391
(19:38:31) LpSolit: dveditz: the restriction you are talking about has been relaxed in this bug
(19:39:10) dveditz: setting a flag to ? is different than clearing it, but OK
(19:39:29) LpSolit: dveditz: no, read comment 2
(19:40:07) dveditz: yeah, I did. thus "but OK"
(19:40:15) dveditz: I bow to reality
(19:40:58) dveditz: alright, I guess you can dupe it to 261995


*** This bug has been marked as a duplicate of 261995 ***
Status: NEW → RESOLVED
Last Resolved: 11 years ago11 years ago
Resolution: --- → DUPLICATE

Comment 4

11 years ago
Also note bug 349077.
You need to log in before you can comment on or make changes to this bug.