Creategroups allows the user to make themselves an admin

NEW
Unassigned

Status

()

Bugzilla
Administration
--
minor
9 years ago
9 years ago

People

(Reporter: Micha Nelissen, Unassigned)

Tracking

Details

(Reporter)

Description

9 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9) Gecko/2008052906 Firefox/3.0
Build Identifier: 3.0.4

Allowing to create groups also allows to edit group inheritance/membership. This ultimately allows anyone with creategroups admin rights.

Reproducible: Always

Steps to Reproduce:
1. User is in group 'creategroups' and group A.
2. User modifies group settings for 'group A' to inherit 'editusers' or 'admin'.

Actual Results:  
User is now admin, or can put other users (or himself) in the admin group.

Expected Results:  
Not allow editing group security (or at least not inheriting admin or editusers etc).

Updated

9 years ago
Severity: normal → minor
Status: UNCONFIRMED → NEW
Ever confirmed: true
OS: Linux → All
Hardware: PC → All
Summary: Creategroups also implies editgroups → Creategroups allows the user to make themselves an admin

Comment 1

9 years ago
Following the discussion resulting in bug 315064, comment 5, this a probably a dupe of bug 194686 .
(Reporter)

Comment 2

9 years ago
This is a different bug, as we are not giving anyone editusers permissions.
You need to log in before you can comment on or make changes to this bug.