Skip to content

bugzilla
bugzilla
Commit 1609f8fc authored by lpsolit%gmail.com's avatar lpsolit%gmail.com
Browse files
Options

Bug 385209: Any (powerless) user who can see a restricted bug can remove the bug…

Bug 385209: Any (powerless) user who can see a restricted bug can remove the bug from non-mandatory groups, which should only be possible when moving the bug to another product - Patch by Fré©ric Buclin <LpSolit@gmail.com> r=mkanat a=LpSolit
parent 275a10ab
Show whitespace changes
Inline Side-by-side
Showing with 8 additions and 1 deletion
process_bug.cgi
View file @ 1609f8fc
...@@ -227,6 +227,7 @@ if ($cgi->cookie("BUGLIST") && defined $cgi->param('id')) { ...@@ -227,6 +227,7 @@ if ($cgi->cookie("BUGLIST") && defined $cgi->param('id')) {
defined($cgi->param('product')) defined($cgi->param('product'))
|| ThrowCodeError('undefined_field', { field => 'product' }); || ThrowCodeError('undefined_field', { field => 'product' });
my $product_change = 0;
if ((defined $cgi->param('id') && $cgi->param('product') ne $bug->product) if ((defined $cgi->param('id') && $cgi->param('product') ne $bug->product)
|| (!$cgi->param('id') || (!$cgi->param('id')
&& $cgi->param('product') ne $cgi->param('dontchange'))) && $cgi->param('product') ne $cgi->param('dontchange')))
...@@ -371,6 +372,7 @@ if ((defined $cgi->param('id') && $cgi->param('product') ne $bug->product) ...@@ -371,6 +372,7 @@ if ((defined $cgi->param('id') && $cgi->param('product') ne $bug->product)
|| ThrowTemplateError($template->error()); || ThrowTemplateError($template->error());
exit; exit;
} }
$product_change = 1;
} }
# At this point, the component must be defined, even if set to "dontchange". # At this point, the component must be defined, even if set to "dontchange".
...@@ -1387,7 +1389,12 @@ foreach my $id (@idlist) { ...@@ -1387,7 +1389,12 @@ foreach my $id (@idlist) {
} }
# When editing several bugs at once, only consider groups which # When editing several bugs at once, only consider groups which
# have been displayed. # have been displayed.
elsif (defined $cgi->param('id') || defined $cgi->param("bit-$gid")) { # Only members of a group can add/remove the bug to/from it,
# unless the bug is being moved to another product in which case
# non-members can also edit group restrictions.
elsif (($user->in_group_id($gid) || $product_change)
&& (defined $cgi->param('id') || defined $cgi->param("bit-$gid")))
{
if (!$cgi->param("bit-$gid")) { if (!$cgi->param("bit-$gid")) {
delete $updated_groups{$gid}; delete $updated_groups{$gid};
} }
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment