#1547 Unauthorized user creating groups?

v1.0.0
closed
Rick Copeland
sf-2 (994)
General
nobody
2015-08-20
2011-02-22
Rick Copeland
No

On the motorola test project https://sourceforge.net/p/mtest/home/, Scott Osborne was able to go into the admin area and create the Kool and the Gang group, even without admin permissions.

Related

Tickets: #1541

Discussion

  • Rick Copeland - 2011-02-22

    Also note that the permission required is 'security', which by default is a permission held by the 'Admin' group.

     

  • Jenny Steele - 2011-02-23
    • status: open --> in-progress
    • assigned_to: Jenny Steele
     

  • Jenny Steele - 2011-02-28
    • status: in-progress --> open
    • assigned_to: Jenny Steele --> Rick Copéland
    • size: 2 --> 2
     

  • Jenny Steele - 2011-02-28

    I thought I had narrowed this down to users deleted from permission groups incorrectly retaining their permissions, but I can no longer reproduce this locally. Rick has some ideas about how to debug this better on the server so sending to him.

     

  • Rick Copeland - 2011-02-28

    This is believed to be fixed -- we detected an instance where a user was in a group 'twice' and the user removal-from-group code would only remove one instance of the user. We should monitor for further problems along these lines, however, and particularly ask if Scott Osborne can reproduce the error once this commit is pushed.

     

  • Rick Copeland - 2011-02-28
    • status: open --> closed
     

Log in to post a comment.