Open Bug 366165 Opened 18 years ago Updated 11 years ago

User history should be filtered to only show the fields the person viewing it is allowed to view

Categories

(Bugzilla :: User Accounts, defect)

Product:
Bugzilla
Component:
User Accounts
Version:
2.23.3
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

People

(Reporter: justdave, Unassigned)

Details

Attachments

(1 file, 1 obsolete file)

removes account history option for users without editusers access
2.25 KB, patch
LpSolit
: review-
Details | Diff | Splinter Review
Right now, anyone with access to editusers for any reason (say they have bless rights for a group) can view the entire account history for a user, which may include adding and removing from groups the user might not otherwise knew existed, for example.
er, make that view, not edit. If we show it to them on the editusers page, they should be allowed to see when it was changed.
Summary: User history should be filtered to only show the fields the person viewing it is allowed to edit → User history should be filtered to only show the fields the person viewing it is allowed to view
This seems to affect current versions of Bugzilla. It appears that anyone with bless rights can view the account history not only for any user with a common group membership, but also any other user by simply changing the user id in the URL. We have attached a patch we are using which restricts the "View Account History" functionality to users in the "editusers" group, rather than also including it for anyone with bless abilities. The link is removed in the user list, and an error is thrown if the URL is accessed directly. Is there a significant use case for users who have "bless" rights but who are not members of the "editusers" group to view a filtered version of the the account history rather than simply removing this option from them?
removes link from user view as well
Attachment #781954 - Attachment is obsolete: true
(In reply to Michael Ching from comment #2) > Is there a significant use case for users who have "bless" rights but who > are not members of the "editusers" group to view a filtered version of the > the account history rather than simply removing this option from them? Definitely, yes. At bmo, very few users have editusers privileges while it's very common to have bless privs for some groups only, in which case it makes total sense to know who set what for groups you manage.
Attachment #781957 - Flags: review-
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: