Last Comment Bug 454565 - Creategroups allows the user to make themselves an admin
: Creategroups allows the user to make themselves an admin
Status: NEW
Product: Bugzilla
Classification: Server Software
Component: Administration (show other bugs)
: unspecified
: All All
-- minor (vote)
: ---
Assigned To: Nobody; OK to take it and work on it
: default-qa
Depends on:
  Show dependency treegraph
Reported: 2008-09-10 05:24 PDT by Micha Nelissen
Modified: 2008-09-18 11:52 PDT (History)
1 user (show)
See Also:
QA Whiteboard:
Iteration: ---
Points: ---


Description User image Micha Nelissen 2008-09-10 05:24:31 PDT
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9) Gecko/2008052906 Firefox/3.0
Build Identifier: 3.0.4

Allowing to create groups also allows to edit group inheritance/membership. This ultimately allows anyone with creategroups admin rights.

Reproducible: Always

Steps to Reproduce:
1. User is in group 'creategroups' and group A.
2. User modifies group settings for 'group A' to inherit 'editusers' or 'admin'.

Actual Results:  
User is now admin, or can put other users (or himself) in the admin group.

Expected Results:  
Not allow editing group security (or at least not inheriting admin or editusers etc).
Comment 1 User image bigstijn 2008-09-18 07:55:36 PDT
Following the discussion resulting in bug 315064, comment 5, this a probably a dupe of bug 194686 .
Comment 2 User image Micha Nelissen 2008-09-18 11:52:59 PDT
This is a different bug, as we are not giving anyone editusers permissions.

Note You need to log in before you can comment on or make changes to this bug.