Closed Bug 499392 Opened 16 years ago Closed 16 years ago

TopSecret hidden products & components are listed in 'advanced search' to users without permission

Categories

(Bugzilla :: Query/Bug List, defect)

Product:
Bugzilla
Component:
Query/Bug List
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: martin.greil, Unassigned)

Details

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729) Build Identifier: version 3.2.3 several listboxes on searchpage are filled with confidental 'Topsecret' Products or Components. Reproducible: Didn't try Steps to Reproduce: 1.login as Administrator | navigate to Administration | Products 2.Edit "Topsecret" Product | Edit Group Access Controls 3.grant access to group "Topsecret": select "Entry,Mandatory,Mandatory,Canedit" 4.with all other groups select "off,NA,NA,off" 5.Login as user without any permission OR do not login at all 6.navigate to search page "Find a Specific Bug" or "Advanced Search" Actual Results: The Product "Topsecret" and all its Components are listed to user without any permissions. Expected Results: Product "Topsecret" and all its Components must not be listed. IF all the switches in "Edit Group Access Controls" cannot manage the visibility of the Product to the Usergroups THEN a new extra switch "show Product to Members of this Group" might help
What version of Bugzilla?
Bugzilla version 3.2.3 during the last hour i did a lot of tryouts and now i know this was a false alarm. Somebody else did changes on the group "Topsecret". I asked him for the reason: He has added a new usergroup "BetaTester" and gave them access. Now the actual settings for product "Topsecret" are: usergroup "Topsecret" = "Entry,Default,Mandatory,Canedit". usergroup "BetaTester" = "Entry,Default,Mandatory,Canedit". Then the user without permissions can see product "Topsecret" in the 'Search' but not in 'New'.
That explains why I couldn't duplicate it. Better safe than sorry.
Status: UNCONFIRMED → RESOLVED
Closed: 16 years ago
Resolution: --- → INVALID
Group: bugzilla-security
thank you, but by the way what setting is needed to look out the user without permissions? That setting will not work: usergroup "Topsecret" = "Entry,Mandatory,Mandatory,Canedit". usergroup "BetaTester" = "Entry,Mandatory,Mandatory,Canedit". because both usergroups must not be member of each other..?
You need to log in before you can comment on or make changes to this bug.