[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Savannah-hackers] Re: [Fwd - Frm: address@hidden, Subj: SAVANNAH SECURI
From: |
Tom Lord |
Subject: |
[Savannah-hackers] Re: [Fwd - Frm: address@hidden, Subj: SAVANNAH SECURITY BUG] |
Date: |
Wed, 31 Dec 2003 09:08:20 -0800 (PST) |
> From: Mathieu Roy <address@hidden>
> "Bradley M. Kuhn" <address@hidden> said:
> > savannah-hackers, could you please investigate this report? You can
> > write back to Tom directly to ask for details.
I would have written directly in the first place but I wasn't sure
that was appropriate for a report of this nature.
> > It seems that any savannah user can edit the bug database of my
> > project -- even those whom I have not authorized to do so.
> Can you give an example?
Sure. Prior to the crack, only managers could reassign or change the
status of tracker items for gnu-arch. Besides me, only robertc had
been given such privileges.
Recently, user jblack has needed to work on the the tracker with
technician and manager privileges. I offered to give him those
privileges but he thought I already had because he's been closing
bugs, assigning bugs and so forth.
It is _not_ a problem for the project that jblack is doing those
things -- I want him to be doing those things. He has my permission
even though the savannah software doesn't think he does.
What is a problem (for Savannah) is that he is not yet a member of the
project (he has a membership request pending) and does not have
technician or manager permissions.
At first I thought this meant "any user can do these things" but I
wonder now if it really isn't "any user with a pending membership
request"?
Thanks,
-t