Any users can change any preferences of any bugs

RESOLVED INVALID

Status

()

Bugzilla
Creating/Changing Bugs
RESOLVED INVALID
8 years ago
8 years ago

People

(Reporter: Dmitry Aleksandrov, Unassigned)

Tracking

3.6.2
x86_64
Windows XP

Details

(Reporter)

Description

8 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.2; ru; rv:1.9.2.10) Gecko/20100914 Firefox/3.6.10 GTB7.1
Build Identifier: 3.6.2

All users can change any preferences of any bugs (Assigne, Product, Component, CC List, etc) even if he is not reporter or QA contact.

Reproducible: Always

Comment 1

8 years ago
This means your users have editbugs privs, which is exactly what these privileges are for. If you don't want to let them edit all bugs, remove these privilieges.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 8 years ago
Resolution: --- → INVALID
Version: unspecified → 3.6.2
(Reporter)

Comment 2

8 years ago
Yes, I know this.
I've already deleted editbugs privilege from TESTUSER. There are no access points checked in the "Administration -> Users" tab on editusers.cgi page, but in the "Preferences -> Permissions" tab on page /userprefs.cgi?tab=permissions I see the following text:
"You have the following permission bits set on your account:
editbugs      Can edit all aspects of any bug"

The only solution I found is a manually deletion permission string in mySQL database. For example, in the 'user_group_map' table I delete this string:
user_id		group_id	isbless		grant_type
77		6		0		2

Now user 77 (TESTUSER) can`t edit any strangers bugs and in a "Preferences -> Permissions" of this user "editbugs" rules is not displayed.

I do not understand what the problem.

Comment 3

8 years ago
Probably all users have editbugs privs because the editbugs group has .* as regular expression. Go check that at editgroups.cgi.
You need to log in before you can comment on or make changes to this bug.