Closed
Bug 861410
Opened 11 years ago
Closed 11 years ago
"edit users" has too many privileges
Categories
(Bugzilla :: Administration, task)
Tracking
()
RESOLVED
DUPLICATE
of bug 315064
People
(Reporter: jessn, Unassigned)
Details
Attachments
(3 files)
User Agent: Mozilla/5.0 (Windows NT 5.1; rv:19.0) Gecko/20100101 Firefox/19.0 Build ID: 20130307023931 Steps to reproduce: Granted "Edit Users" to a regular user WITHOUT admin permissions Actual results: The regular user with the newly granted "Edit Users" is able to revoke admin permissions from admin users, grant admin permissions to themself and grant admin permissions to others. Expected results: A user that have been granted "Edit Users" without admin should not be able to revoke admin permissions from admin users or grant admin permissions to other users. In general, it should not be possible to elevate users to higher privileges than yourself or revoke exclusive permissions from more privileged users.
Summary: edit users has to many privileges → "edit users" has to many privileges
|
||
Comment 1•11 years ago
|
||
editusers privs let you edit all privileges of all users. It is so by design. And you already reported this bug.
Status: UNCONFIRMED → RESOLVED
Closed: 11 years ago
Resolution: --- → DUPLICATE
To fix this issue, the following checks have been added... If otheruser == admin and user != admin then "disable change passw, disabled text" If user != admin and perm / group in (admin, ...) then "disable inherit, bless"
(In reply to Frédéric Buclin from comment #1) > editusers privs let you edit all privileges of all users. It is so by > design. And you already reported this bug. > > *** This bug has been marked as a duplicate of bug 315064 *** This is a fix for the bug, if anyone should be interested in another behaviour than the standard.
Summary: "edit users" has to many privileges → "edit users" has too many privileges
You need to log in
before you can comment on or make changes to this bug.
Description
•