405119 - Member of editcomponents can create products. Require an additional cancreateproducts group

Status: VERIFIED DUPLICATE of bug 189627

(Bugzilla :: Administration, task)

Description

[Christophe Naslain]

User-Agent:       Mozilla/5.0 (X11; U; Linux i686; fr; rv:1.8.1.5) Gecko/20070718 Fedora/2.0.0.5-1.fc7 Firefox/2.0.0.5
Build Identifier: 3.0.1

In version 3.0.1, members of editcomponents can create products, components, version, milestones and set Edit Group Access Controls.

It would be great to have two levels of rights for product administration:
- One to create the product itself and set Edit Group Access Controls
- One that can manage the components, Target milestones and versions (in my cas, this is delegated to QA team who are not admins.

The reason for this is that members who creates products often requires user and group admin as well. Version & milestones and sometime components are manages by non-admins; in my case delegated to QA Team as they manage releases.

Suggestion:
- Create a default system group named cancreateproducts
- Modify  this is delegated to QA team who are not admins.

The reason for this is that members who creates products often requires user and group admin as well. Version & milestones and sometime components are manages by non-admins; in my case delegated to QA Team as they manage releases.

Suggestion:
- Create a default system group named cancreateproducts
- Modify editproducts.cgi and ask for $user->in_group('cancreateproducts') for the following actions:
  * add
  * new
  * editgroupcontrols
  * updategroupcontrols

All other actions can be assigned to editcomponents members.

Reproducible: Always

Comment 1

[Frédéric Buclin]

This feature is already available in Bugzilla 3.0, read the documentation.

Comment 2

[Christophe Naslain]

From the Bugzilla documentation (http://www.bugzilla.org/releases/3.0/new-features.html#v30_feat_ppp): "Per-Product Permissions: You can now grant users editbugs and canconfirm for only certain products. You can also grant users editcomponents on a product, which means they will be able to edit that product including adding/removing components and other product-specific controls."

OK. This is controlled into the product settings. So if I check the "editcomponents" option for my product, I grant anyone in the product group the editcomponents right for this product.

My Bugzilla configuration:
- One group per product (ie makeproductgroups config enabled)
- Each product "Group Access Controls" is set to:
  * Entry: checked
  * MemberControl: Mandatory
  * OtherControl: Mandatory
  * Canedit: Checked

We manage a large amount of products/groups for different populations. To post/edit, a user must be member of the group that controls the product. This means that all users of a product are member of the product group. We also have some users that are member of the  editcomponents system group; to add versions, milstones and components (but also by extension have access to 'Add new product' and 'Group Access Controls' which is not a privilege that we wish them to get).

If I check the new "editcomponents" option from the product "Group Access Controls", I will grant all members of the group (ie all users of the product) the right to add version, milestones, components etc. This is definitely NOT what we want to do.

More, this right also give all members the access to 'Group Access Controls' wich is not a functionnality that a granted user should have.

Comment 3

[Max Kanat-Alexander]

Just add another group, then. If you have a support question about this (meaning you want to know why we said Bugzilla 3.0 already does this, or how to do what you need with your installation), please ask it using one of the resources listed at http://www.bugzilla.org/support/