Open
Bug 454565
Opened 17 years ago
Updated 17 years ago
Creategroups allows the user to make themselves an admin
Categories
(Bugzilla :: Administration, task)
Bugzilla
Administration
Tracking
()
NEW
People
(Reporter: micha.nelissen, Unassigned)
Details
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9) Gecko/2008052906 Firefox/3.0
Build Identifier: 3.0.4
Allowing to create groups also allows to edit group inheritance/membership. This ultimately allows anyone with creategroups admin rights.
Reproducible: Always
Steps to Reproduce:
1. User is in group 'creategroups' and group A.
2. User modifies group settings for 'group A' to inherit 'editusers' or 'admin'.
Actual Results:
User is now admin, or can put other users (or himself) in the admin group.
Expected Results:
Not allow editing group security (or at least not inheriting admin or editusers etc).
|
||
Updated•17 years ago
|
Severity: normal → minor
Status: UNCONFIRMED → NEW
Ever confirmed: true
OS: Linux → All
Hardware: PC → All
Summary: Creategroups also implies editgroups → Creategroups allows the user to make themselves an admin
Following the discussion resulting in bug 315064, comment 5, this a probably a dupe of bug 194686 .
|
|
Reporter | |
Comment 2•17 years ago
|
||
This is a different bug, as we are not giving anyone editusers permissions.
You need to log in
before you can comment on or make changes to this bug.
Description
•