User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9) Gecko/2008052906 Firefox/3.0 Build Identifier: 3.0.4 Allowing to create groups also allows to edit group inheritance/membership. This ultimately allows anyone with creategroups admin rights. Reproducible: Always Steps to Reproduce: 1. User is in group 'creategroups' and group A. 2. User modifies group settings for 'group A' to inherit 'editusers' or 'admin'. Actual Results: User is now admin, or can put other users (or himself) in the admin group. Expected Results: Not allow editing group security (or at least not inheriting admin or editusers etc).
Severity: normal → minor
Status: UNCONFIRMED → NEW
Ever confirmed: true
OS: Linux → All
Hardware: PC → All
Summary: Creategroups also implies editgroups → Creategroups allows the user to make themselves an admin
This is a different bug, as we are not giving anyone editusers permissions.
You need to log in before you can comment on or make changes to this bug.