Dmitry Tysh

Hello,

I have created a project in TFS and added the developer¡¯s account into Contributors group. Then I login as a developer and go to Teama Team Project Setting a Group Membership, the Contributors group has access to make changes change in Group Membership section. The ¡®Remove¡¯, ¡®Properties¡¯ and ¡®New¡¯ buttons are not disabled.

The Security section does not allow for changes but the Group Membership does. A developer should not have rights to add group or people into Group Membership.

Does anyone know how to fix this issue

Thank you,

Dmitry Tysh




Re: Team Foundation Server - General Group Membership Security Issue

Adam Singer - MSFT

The permissions check is performed when you attempt to actually perform the operation, not when we load the dialog. That way, we can be sure to use the most up-to-date credentials. For example, lets say someone was a Project Administrator when they opened the dialog. They may leave it open in the background for a few minutes, hours, etc. During that time, their access may be revoked for one reason or another. When they come back to the dialog and attempt to make a change, it should use their current set of permissions rather than the ones they had when opening the dialog.

Are you finding that a normal contributor user (who isn't granted permissions by any other means, e.g. by being in the machine Administrators group of the AT) can commit membership changes without being explicitly granted that permission, or just that the button state doesn't reflect the current permissions

Cheers,

Adam






Re: Team Foundation Server - General Group Membership Security Issue

Eugene Zakhareyev

Adam,

I come across this very issue couple of times, and I think that is a bug. It is not common to expect that if one opens modal window and leaves it open for a while that the window will be refreshed. And I think the case you describe is extremely unlikely.

Moreover, it is implemented differently in other security related TFS windows. So I always thought it is a bug that will be fixed. But judging by your answer it wont

Regards, Eugene






Re: Team Foundation Server - General Group Membership Security Issue

Adam Singer - MSFT

Could you check if the users who see this issue are members of any other group that might grant them administrative privleges on the Team Foundation Server On the machine I'm testing with, users solely in the contributors group actually do have these buttons disabled. I will note that I'm using the Orcas version in case there's been any bug fix around this, but I don't recall seeing one.

Cheers,

Adam






Re: Team Foundation Server - General Group Membership Security Issue

Eugene Zakhareyev

Adam,

The users are members of project Contributors group and Valid Users group only. I am pretty positive that everything is enabled, and error message to the effect that user has no permssions is displayed when something is changed and change is submitted.

Hopefully, it is (will be) fixed in Orcas. I will make a note to test sometime in the future. Thanks for follow up.

Regards, Eugene