Open
Bug 366165
Opened 18 years ago
Updated 11 years ago
User history should be filtered to only show the fields the person viewing it is allowed to view
Categories
(Bugzilla :: User Accounts, defect)
Tracking
()
NEW
People
(Reporter: justdave, Unassigned)
Details
Attachments
(1 file, 1 obsolete file)
2.25 KB,
patch
|
LpSolit
:
review-
|
Details | Diff | Splinter Review |
Right now, anyone with access to editusers for any reason (say they have bless rights for a group) can view the entire account history for a user, which may include adding and removing from groups the user might not otherwise knew existed, for example.
Reporter | ||
Comment 1•18 years ago
|
||
er, make that view, not edit. If we show it to them on the editusers page, they should be allowed to see when it was changed.
Summary: User history should be filtered to only show the fields the person viewing it is allowed to edit → User history should be filtered to only show the fields the person viewing it is allowed to view
Comment 2•11 years ago
|
||
This seems to affect current versions of Bugzilla.
It appears that anyone with bless rights can view the account history not only for any user with a common group membership, but also any other user by simply changing the user id in the URL.
We have attached a patch we are using which restricts the "View Account History" functionality to users in the "editusers" group, rather than also including it for anyone with bless abilities. The link is removed in the user list, and an error is thrown if the URL is accessed directly.
Is there a significant use case for users who have "bless" rights but who are not members of the "editusers" group to view a filtered version of the the account history rather than simply removing this option from them?
Comment 3•11 years ago
|
||
Comment 4•11 years ago
|
||
removes link from user view as well
Attachment #781954 -
Attachment is obsolete: true
Comment 5•11 years ago
|
||
(In reply to Michael Ching from comment #2)
> Is there a significant use case for users who have "bless" rights but who
> are not members of the "editusers" group to view a filtered version of the
> the account history rather than simply removing this option from them?
Definitely, yes. At bmo, very few users have editusers privileges while it's very common to have bless privs for some groups only, in which case it makes total sense to know who set what for groups you manage.
Updated•11 years ago
|
Attachment #781957 -
Flags: review-
You need to log in
before you can comment on or make changes to this bug.
Description
•