STR: 1) Have a Bugzilla account without editbugs privileges. 2) Visit a bug with someone other than yourself on the CC list. 3) Click the Edit link. 4) Select an e-mail address that is not yours and check the "Remove" box. 5) Submit. AR: CC is removed. ER: Error should be thrown, or better yet, the "Edit" link simply shouldn't appear at all for users without editbugs privileges. They can add themselves to the CC list easily enough otherwise. It seems to me like users without editbugs privileges shouldn't be allowed to add or remove any addresses from the CC list other than their own registered address, yet it seems that just happened (the 01 October 2008 activity): https://bugzilla.mozilla.org/show_activity.cgi?id=315812 Filing as UNCO because I have no idea if this is already filed. I couldn't find it in a search, but I don't know the Bugzilla component as well as I know some others. Mildly security-sensitive because there's no way for the people who are removed in this manner to know about it, AFAIK.

This is not a security bug. It is so by design.

Oh, and the "add other users" bit of the request is definitely WONTFIX. If you need to CC someone else and you don't have any privs, you should still be able to do it. If a user abuses this, his account should be disabled.

At least on b.m.o, experience ought to have taught us that most users who do not have editbugs privileges are not in any way knowledgeable enough to make proper decisions about who they should and shouldn't be CCing. There seem to be ample channels other than the Bugzilla CC field for bringing things to the appropriate developers' attention (and again, on b.m.o, a lot of developers choose not to receive bugmail at all because of this sort of thing). That still leaves the silent removal issue, however.

(In reply to comment #3) > That still leaves the silent removal issue, however. This is untrue. If you are removed from the CC list, you get bugmail about it (of course, assuming you set your email prefs to get them in this case). So this is not an issue.

Actually, I was under the impression that users without editbugs should not be able to edit the CC for anybody other than themselves, unless they're the reporter or other empowered user.

One reason (valid or not is another question) to still allow powerless users to remove other users from the CC list is when they create a 2nd account instead of changing the email address of their old account (e.g. when you leave a company and so you can no longer use your old email address). In that case, they would like to remove their old accounts from the CC list using their new account. Now if we decide that this use case is not important enough, we can decide to enforce this restriction in the code, with which I'm fine. But I'm still opposed to forbid powerless users from adding other users to the CC list.

(In reply to comment #6) > One reason (valid or not is another question) to still allow powerless users to > remove other users from the CC list is when they create a 2nd account instead > of changing the email address of their old account (e.g. when you leave a > company and so you can no longer use your old email address). In that case, > they would like to remove their old accounts from the CC list using their new > account. This is because Bugzilla doesn't make it well-known that you can change your e-mail address. I've talked to lots of folks who created second accounts because they had no idea they could go to Preferences -> Name and Account and change their e-mail address there. Maybe "Name and Account" needs to be renamed to something else? Not sure what the solution is, but that is indeed a common problem.

Yeah, I think we should make things uniform and now allow people to remove others from the CC list if they don't have editbugs. If they have two accounts, they can still log in and remove themselves from the list.

We will only address the "remove" bit of the request.

Oh wait, I thought you meant that they already couldn't add users. No, if they can add users to the CC list, they should be able to remove them. I just want to keep things consistent.

I can confirm this, on Red Hat's bugzilla I created an account so I can submit bugs/comment/etc, but I have no real privileges as far as I know (e.g. I'm not a redhat employee). I can remove people from bug CC list's that I have nothing to do with (I didn't report the bug, I haven't commented, I haven't added myself to the CC list, etc. But I can completely nuke the CC list if I want to.

kurt, you don't need to remove people from the CC list as a proof of concept. We know the bug exists!

Apologies, I just wanted to make sure it still existed (no comments/etc. since late 2008, I was hoping it was silently fixed in the last year).