Open Bug 380106 Opened 18 years ago Updated 13 years ago

Possible product name leakage when deleting user accounts

Categories

(Bugzilla :: Administration, task)

Product:
Bugzilla
Component:
Administration
Type:
task
Priority:
Not set
Severity:
minor

Tracking

()

People

(Reporter: LpSolit, Unassigned)

Details

A user with 'editusers' privs may see the name of products he is not allowed to see when deleting a user account if this user account is the default assignee or QA contact of these products. We should fix that and add a comment in the page telling him that the list of products is not exhaustive. I suspect all versions back to 2.20 are affected.
... but editusers basically means admin. Why do we care? People with editusers can just grant themselves access to those types of things.
Being able to doesn't mean we should let it go this way. That's why the severity has been set to 'minor'.
We could use what I did in bug 327077, patch v2.
Note that I'd like to just say "<invisible product>" instead of not displaying that the user has responsibilities.
Someone with the power to delete users better be trustworthy enough to know what all the products are. I don't think we care if they can see the product names. If we do care, they should be told that the user they're trying to delete has more privs than they do and they'll need to find someone with more privs to do the delete. Hiding what they're connected to doesn't seem viable, since it's stuff that would have to be fixed before the user can be deleted.
Group: webtools-security → bugzilla-security
Group: bugzilla-security → webtools-security
Group: webtools-security → bugzilla-security
(In reply to Dave Miller [:justdave] from comment #5) > I don't think we care if they can see the product names. Yes ok, I agree. Leaving the bug open for now, but no longer marked as a security bug.
Group: bugzilla-security
You need to log in before you can comment on or make changes to this bug.