Closed
Bug 622079
Opened 15 years ago
Closed 15 years ago
Changing the group which can bless all groups
Categories
(Bugzilla :: Bugzilla-General, defect)
Tracking
()
RESOLVED
WONTFIX
People
(Reporter: gerv, Unassigned)
Details
(Follow-up from bug 621879, duped to WONTFIXed bug 147276)
BMO wants to change it so only admins can bless all groups. editusers.cgi:
- if ($self->in_group('editusers')) {
- # Users having editusers permissions may bless all groups.
+ if ($self->in_group('admin')) {
+ # Users having admin permissions may bless all groups.
$self->{'bless_groups'} = [Bugzilla::Group->get_all];
...
And also template/en/default/account/prefs/permissions.html.tmpl.
Please advise on what sort of patch would be acceptable to make this customizable.
Gerv
|
||
Comment 1•15 years ago
|
||
I disagree with this change. editusers really is about editing user accounts. Maybe you have too many people having editusers privs, if that's a problem.
|
|
Reporter | |
Comment 2•15 years ago
|
||
But if someone with editusers can bless _all_ groups, they can just add themselves to the admin group, so the two become equivalent anyway - right?
Gerv
|
|
||
Comment 3•15 years ago
|
||
I personally see the editusers group as being more powerful than the admin group, because an admin can only do things thanks to inheritance, while editusers privs really let you get all privileges.
|
|
Reporter | |
Comment 4•15 years ago
|
||
I suggest it is somewhat counter-intuitive that things work that way. People expect groups called "root" or "admin" to be the most powerful in the system.
We could fix this by changing it so that editusers allowed you to change any user permissions _except_ making yourself or anyone else an admin. (Only an admin could do that.) What do you think?
Gerv
|
|
||
Comment 5•15 years ago
|
||
This doesn't help at all. You could simply add yourselef to all other groups, which is mostly the same as being an admin. I don't want to treat admin differently, because it doesn't need to. Admins should understand what "Can edit or disable users" means and don't give editusers privs too easily. (One could then argue that editusers should be merged with admin, and have a single admin group.)
|
|
||
Comment 6•15 years ago
|
||
Gerv: Could you explain what problem you are trying to solve?
|
|
Reporter | |
Comment 7•15 years ago
|
||
My understanding is that the problem is this: we want to give people editusers so they can give people e.g. editbugs and canconfirm. But we don't want to give those people full administrative rights in the system, which they effectively get if editusers means they can make themselves admins.
How would you solve this problem?
Groups don't have a grant_group, so we can't say something like "editusers can be given by anyone who is a member of editusers_givers". Bugzilla only allows a single "I can edit everything about a user" privilege.
Gerv
|
|
||
Comment 8•15 years ago
|
||
(In reply to comment #7)
> My understanding is that the problem is this: we want to give people editusers
> so they can give people e.g. editbugs and canconfirm.
In that case, you have to create an additional group, and let this group set the canconfirm and editbugs bits only. You don't need to give these users full editusers privs.
|
|
Reporter | |
Comment 9•15 years ago
|
||
(In reply to comment #8)
> In that case, you have to create an additional group, and let this group set
> the canconfirm and editbugs bits only. You don't need to give these users full
> editusers privs.
Could you outline how that would be done?
Gerv
|
|
||
Comment 10•15 years ago
|
||
(In reply to comment #7)
> Groups don't have a grant_group, so we can't say something like "editusers can
> be given by anyone who is a member of editusers_givers". Bugzilla only allows a
> single "I can edit everything about a user" privilege.
Ah, actually, you should just be using the bless groups, which already exist. Bugzilla does in fact have this system.
|
|
||
Comment 11•15 years ago
|
||
(In reply to comment #10)
> Ah, actually, you should just be using the bless groups, which already exist.
> Bugzilla does in fact have this system.
Yeah, I told him on IRC yesterday how to do that. I suggest to close this bug as wontfix. No reason to change something which works.
|
|
||
Comment 12•15 years ago
|
||
So, with this discussion, unless I'm misunderstanding Gerv's requirements, I'm going to mark this WORKSFORME.
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → WORKSFORME
|
|
||
Comment 13•15 years ago
|
||
Oh, I suppose WONTFIX is a more appropriate resolution, yeah.
Resolution: WORKSFORME → WONTFIX
|
|
Reporter | |
Comment 14•15 years ago
|
||
Yep - unless I've misunderstood the purpose behind the customization, then this is an appropriate resolution. Thanks, guys :-)
Gerv
You need to log in
before you can comment on or make changes to this bug.
Description
•