Authenticated Users with no roles are able to revise Events on QMO

VERIFIED INVALID

Status

quality.mozilla.org
Website
VERIFIED INVALID
9 years ago
9 years ago

People

(Reporter: aakashd, Unassigned)

Tracking

Details

(Reporter)

Description

9 years ago
Sam pointed this out to me, but if you look at the following link:

http://quality.mozilla.org/node/440/revisions


Users ricmacas and atokubi, both support users, were either able to revise the event even though they don't have any roles set up to allow such permissions.

Tomcat believes this has something to do with the last two security updates we did as well as possibly they were participants of the event.
Alex, can you take a look at this?
OS: Mac OS X → All
Hardware: x86 → All
(In reply to comment #0)
> Users ricmacas and atokubi, both support users, were either able to revise the
> event even though they don't have any roles set up to allow such permissions.
> 
> Tomcat believes this has something to do with the last two security updates we
> did as well as possibly they were participants of the event.

well i said : 09:13 <@Tomcat> well this was before we fixed 2 security  bugs :)

i think this has more to do with the fact that this guys are on the list of attendance for the event. According to the Permissions they should not be able to change the content, but somehow they do :/
(Reporter)

Comment 3

9 years ago
Ok, just tried test accounts on on production and staging and neither of them were able to edit the event after putting themselves as participants of those events. I'm not sure where else to go with this.
My initial assumption is that the names were entered by someone who had permissions. I believe I can put someone else as an author even though I am editing the document. So if we cannot reproduce this, that's probably why.

However, to properly test, if this doesn't get solved quick, maybe we could try installing
http://drupal.org/project/masquerade
to switch users and see if they really do have permissions. Alternatively, we could ask them (might be quicker)
(In reply to comment #4)
> However, to properly test, if this doesn't get solved quick, maybe we could try
> installing
> http://drupal.org/project/masquerade
> to switch users and see if they really do have permissions. Alternatively, we
> could ask them (might be quicker)
We may be able to do this with Devel module. Testing now on stage.
yes, I'm similarly stumped.  The first thing I checked was the permissions and the roles those users have (none).  Nothing stands out.

For the record, I don't see atokubi in the revisions list.

I created a test account named 'buchanae-normal' and logged in, then joined the event.  After logging back in as an admin, I see 'buchanae-normal' now owns the current revision.

http://www.grabup.com/uploads/4ae80f7ddb9798e7a6bd5c67245dc8e6.png

Odd.... Sounds like Drupal fail.  Not sure it's a critical security issue, as I couldn't edit the post as 'buchanae-normal'
Okay, so I switched to sammybahamas and couldn't edit the event. It's probably like Alex said, a "naming" issue rather than permissions. Odd, though. Is it worth filing a Drupal bug, Alex?
(Reporter)

Comment 8

9 years ago
Yeah, it's not a critical security bug. I'm going to move the bug to normal due
to this discussion and setting some of these comments as private. You guys can
remove the private setting as you see fit. 

Tomcat, move it out of private status :).
(Reporter)

Updated

9 years ago
Severity: critical → normal
(In reply to comment #7)
> Okay, so I switched to sammybahamas and couldn't edit the event. It's probably
> like Alex said, a "naming" issue rather than permissions. Odd, though. Is it
> worth filing a Drupal bug, Alex?

I don't know for sure that it's a Drupal core bug, so I'm not sure what you would file it under.  It could stem from the QMO's setup.  You could ask in the Drupal forums or IRC also.
Group: websites-security
(In reply to comment #6)
> I created a test account named 'buchanae-normal' and logged in, then joined the
> event.  After logging back in as an admin, I see 'buchanae-normal' now owns the
> current revision.
> 
> http://www.grabup.com/uploads/4ae80f7ddb9798e7a6bd5c67245dc8e6.png
> 
> Odd.... Sounds like Drupal fail.  Not sure it's a critical security issue, as I
> couldn't edit the post as 'buchanae-normal'
Per Alex's comment.
Status: NEW → RESOLVED
Last Resolved: 9 years ago
Resolution: --- → INVALID
(Reporter)

Comment 11

9 years ago
verified sadly.
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.