Closed
Bug 381738
Opened 18 years ago
Closed 18 years ago
SaveAccount() in userprefs.cgi doesn't check Bugzilla->user->authorizer->can_change_{password|email}
Categories
(Bugzilla :: User Accounts, defect, P2)
Tracking
()
RESOLVED
FIXED
Bugzilla 3.0
People
(Reporter: LpSolit, Assigned: timello)
Details
Attachments
(1 file)
|
1.25 KB,
patch
|
LpSolit
:
review+
|
Details | Diff | Splinter Review |
Even if the UI is fine and checks Bugzilla->user->authorizer->can_change_{password|email} correctly, you can still hack the URL to bypass these checks as SaveAccount() ignores them. This lets you change your email and password despite the Auth system says you cannot. Not a blocker, but would be fine to take for 3.0.1.
|
||
Updated•18 years ago
|
Priority: -- → P2
|
Assignee | |
Updated•18 years ago
|
Status: NEW → ASSIGNED
|
|
Assignee | |
Updated•18 years ago
|
Assignee: user-accounts → timello
Status: ASSIGNED → NEW
|
|
Assignee | |
Updated•18 years ago
|
Status: NEW → ASSIGNED
|
|
Assignee | |
Comment 1•18 years ago
|
||
Attachment #272208 -
Flags: review?(LpSolit)
|
|
Reporter | |
Comment 2•18 years ago
|
||
Comment on attachment 272208 [details] [diff] [review]
Checks if the email and the password can be changed.
We usually put && and || at the beginning of lines, but that's a nit and can be fixed on checkin. r=LpSolit
Attachment #272208 -
Flags: review?(LpSolit) → review+
|
|
Reporter | |
Updated•18 years ago
|
Flags: approval3.0+
Flags: approval+
|
|
Reporter | |
Comment 3•18 years ago
|
||
tip:
Checking in userprefs.cgi;
/cvsroot/mozilla/webtools/bugzilla/userprefs.cgi,v <-- userprefs.cgi
new revision: 1.114; previous revision: 1.113
done
3.0:
Checking in userprefs.cgi;
/cvsroot/mozilla/webtools/bugzilla/userprefs.cgi,v <-- userprefs.cgi
new revision: 1.112.2.2; previous revision: 1.112.2.1
done
Status: ASSIGNED → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•