Closed Bug 603598 Opened 14 years ago Closed 14 years ago

Any users can change any preferences of any bugs

Categories

(Bugzilla :: Creating/Changing Bugs, defect)

Product:
Bugzilla
Component:
Creating/Changing Bugs
Version:
3.6.2
Platform:
x86_64
Windows XP
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: admin, Unassigned)

Details

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.2; ru; rv:1.9.2.10) Gecko/20100914 Firefox/3.6.10 GTB7.1
Build Identifier: 3.6.2

All users can change any preferences of any bugs (Assigne, Product, Component, CC List, etc) even if he is not reporter or QA contact.

Reproducible: Always
This means your users have editbugs privs, which is exactly what these privileges are for. If you don't want to let them edit all bugs, remove these privilieges.
Status: UNCONFIRMED → RESOLVED
Closed: 14 years ago
Resolution: --- → INVALID
Version: unspecified → 3.6.2
Yes, I know this.
I've already deleted editbugs privilege from TESTUSER. There are no access points checked in the "Administration -> Users" tab on editusers.cgi page, but in the "Preferences -> Permissions" tab on page /userprefs.cgi?tab=permissions I see the following text:
"You have the following permission bits set on your account:
editbugs      Can edit all aspects of any bug"

The only solution I found is a manually deletion permission string in mySQL database. For example, in the 'user_group_map' table I delete this string:
user_id		group_id	isbless		grant_type
77		6		0		2

Now user 77 (TESTUSER) can`t edit any strangers bugs and in a "Preferences -> Permissions" of this user "editbugs" rules is not displayed.

I do not understand what the problem.
Probably all users have editbugs privs because the editbugs group has .* as regular expression. Go check that at editgroups.cgi.
You need to log in before you can comment on or make changes to this bug.