Commit 4f4c25bb authored by's avatar

Bug 266579 : Users without privs can confirm bugs by assigning to themselves…

Bug 266579 : Users without privs can confirm bugs by assigning to themselves first, without having canconfirm privs Patch by r=myk a=justdave
parent 61a49f22
......@@ -404,20 +404,22 @@ sub user {
# Display everything as if they have all the permissions in the
# world; their permissions will get checked when they log in and
# actually try to make the change.
my $privileged = (!Bugzilla->user->id)
|| Bugzilla->user->in_group("editbugs")
my $unknown_privileges = !Bugzilla->user->id
|| Bugzilla->user->in_group("editbugs");
my $canedit = $unknown_privileges
|| Bugzilla->user->id == $self->{'assigned_to'}{'id'}
|| (Param('useqacontact') && $self->{'qa_contact'} &&
Bugzilla->user->id == $self->{'qa_contact'}{'id'});
my $isreporter = Bugzilla->user->id &&
Bugzilla->user->id == $self->{'reporter'}{'id'};
my $canedit = $privileged || $isreporter;
my $canconfirm = $privileged || Bugzilla->user->in_group("canconfirm");
|| (Param('useqacontact')
&& $self->{'qa_contact'}
&& Bugzilla->user->id == $self->{'qa_contact'}{'id'});
my $canconfirm = $unknown_privileges
|| Bugzilla->user->in_group("canconfirm");
my $isreporter = Bugzilla->user->id
&& Bugzilla->user->id == $self->{'reporter'}{'id'};
$self->{'user'} = {canmove => $canmove,
canconfirm => $canconfirm,
canedit => $canedit,};
canedit => $canedit,
isreporter => $isreporter};
return $self->{'user'};
......@@ -317,7 +317,11 @@ $vars->{'component_'} = \@components;
$default{'component_'} = formvalue('component');
$vars->{'assigned_to'} = formvalue('assigned_to');
$vars->{'assigned_to_disabled'} = !UserInGroup('editbugs');
$vars->{'cc'} = formvalue('cc');
$vars->{'cc_disabled'} = 0;
$vars->{'product'} = $product;
$vars->{'bug_file_loc'} = formvalue('bug_file_loc', "http://");
$vars->{'short_desc'} = formvalue('short_desc');
......@@ -130,7 +130,7 @@ my $sql_product = SqlQuote($::FORM{'product'});
my $sql_component = SqlQuote($::FORM{'component'});
# Default assignee is the component owner.
if ($::FORM{'assigned_to'} eq "") {
if (!UserInGroup("editbugs") || $::FORM{'assigned_to'} eq "") {
SendSQL("SELECT initialowner FROM components " .
"WHERE id = $component_id");
$::FORM{'assigned_to'} = FetchOneColumn();
......@@ -23,11 +23,13 @@
# Dave Miller <>
# Christopher Aillon <>
# Myk Melez <>
# Frédéric Buclin <>
use strict;
my $UserInEditGroupSet = -1;
my $UserInCanConfirmGroupSet = -1;
my $PrivilegesRequired = 0;
use lib qw(.);
......@@ -237,12 +239,8 @@ if ((($::FORM{'id'} && $::FORM{'product'} ne $::oldproduct)
$vars->{'oldvalue'} = $::oldproduct;
$vars->{'newvalue'} = $::FORM{'product'};
$vars->{'field'} = 'product';
{ oldvalue => $::oldproduct,
newvalue => $::FORM{'product'},
field => 'product',
$vars->{'privs'} = $PrivilegesRequired;
ThrowUserError("illegal_change", $vars, "abort");
CheckFormField(\%::FORM, 'product', \@::legal_product);
......@@ -350,34 +348,18 @@ sub CheckCanChangeField {
my ($field, $bugid, $oldvalue, $newvalue) = (@_);
# Convert email IDs into addresses for $oldvalue
if (($field eq "assigned_to") ||
($field eq "reporter") ||
($field eq "qa_contact"))
if ($oldvalue =~ /^\d+$/) {
if ($oldvalue == 0) {
$oldvalue = "";
} else {
$oldvalue = DBID_to_name($oldvalue);
# Return true if they haven't changed this field at all.
if ($oldvalue eq $newvalue) {
return 1;
elsif (trim($oldvalue) eq trim($newvalue)) {
} elsif (trim($oldvalue) eq trim($newvalue)) {
return 1;
# numeric fields need to be compared using ==
} elsif (($field eq "estimated_time" || $field eq "remaining_time") &&
$oldvalue == $newvalue) {
} elsif (($field eq "estimated_time" || $field eq "remaining_time")
&& $oldvalue == $newvalue)
return 1;
# A resolution change is always accompanied by a status change. So, we
# always OK resolution changes; if they really can't do this, we will
# notice it when status is checked.
......@@ -391,6 +373,14 @@ sub CheckCanChangeField {
return 1;
# Ignore the assigned_to field if the bug is not being reassigned
if ($field eq "assigned_to"
&& $::FORM{'knob'} ne "reassignbycomponent"
&& $::FORM{'knob'} ne "reassign")
return 1;
# Find out whether the user is a member of the "editbugs" and/or
# "canconfirm" groups. $UserIn*GroupSet are caches of the return value of
......@@ -404,20 +394,28 @@ sub CheckCanChangeField {
# Allow anyone with "editbugs" to change anything.
# If the user isn't allowed to change a field, we must tell him who can.
# We store the required permission set into the $PrivilegesRequired
# variable which gets passed to the error template.
# $PrivilegesRequired = 0 : no privileges required;
# $PrivilegesRequired = 1 : the reporter, owner or an empowered user;
# $PrivilegesRequired = 2 : the owner or an empowered user;
# $PrivilegesRequired = 3 : an empowered user.
# Allow anyone with "editbugs" privs to change anything.
if ($UserInEditGroupSet) {
return 1;
# Allow anyone with "canconfirm" to confirm bugs.
if ($UserInCanConfirmGroupSet) {
if (($field eq "canconfirm") ||
(($field eq "bug_status") &&
($oldvalue eq $::unconfirmedstate) &&
# *Only* users with "canconfirm" privs can confirm bugs.
if ($field eq "canconfirm"
|| ($field eq "bug_status"
&& $oldvalue eq $::unconfirmedstate
&& IsOpenedState($newvalue)))
return 1;
$PrivilegesRequired = 3;
return $UserInCanConfirmGroupSet;
......@@ -431,46 +429,48 @@ sub CheckCanChangeField {
# Allow the owner to change anything.
if ($ownerid eq $whoid) {
# Allow the owner to change anything else.
if ($ownerid == $whoid) {
return 1;
# Allow the QA contact to change anything.
if (Param('useqacontact') && ($qacontactid eq $whoid)) {
# Allow the QA contact to change anything else.
if (Param('useqacontact') && ($qacontactid == $whoid)) {
return 1;
# The reporter's a more complicated case...
if ($reporterid eq $whoid) {
# Reporter may not:
# - confirm his own bugs (this assumes he doesn't have canconfirm, or we
# would have returned "1" earlier)
if (($field eq "bug_status") &&
($oldvalue eq $::unconfirmedstate) &&
# The reporter is a more complicated case...
if ($reporterid == $whoid) {
$PrivilegesRequired = 2;
# The reporter may not:
# - reassign bugs, unless the bugs are assigned to him;
# in that case we will have already returned 1 above
# when checking for the owner of the bug.
if ($field eq "assigned_to") {
return 0;
# - change the QA contact
if ($field eq "qa_contact") {
return 0;
# - change the target milestone
if ($field eq "target_milestone") {
return 0;
# - change the priority (unless he could have set it originally)
if (($field eq "priority") &&
if ($field eq "priority"
&& !Param('letsubmitterchoosepriority'))
return 0;
# Allow reporter to change anything else.
# Allow the reporter to change anything else.
return 1;
# If we haven't returned by this point, then the user doesn't have the
# necessary permissions to change this field.
$PrivilegesRequired = 1;
return 0;
......@@ -619,19 +619,23 @@ sub ChangeStatus {
} else {
$::query .= "bug_status = " . SqlQuote($str);
$::FORM{'bug_status'} = $str; # Used later for call to
# CheckCanChangeField to make sure this
# is really kosher.
# If bugs are reassigned and their status is "UNCONFIRMED", they
# should keep this status instead of "NEW" as suggested here.
# This point is checked for each bug later in the code.
$::FORM{'bug_status'} = $str;
sub ChangeResolution {
my ($str) = (@_);
if (!$::FORM{'dontchange'} ||
($str ne $::FORM{'dontchange'})) {
if (!$::FORM{'dontchange'}
|| $str ne $::FORM{'dontchange'})
$::query .= "resolution = " . SqlQuote($str);
$::FORM{'resolution'} = $str; # Used later by CheckCanChangeField
# We define this variable here so that customized installations
# may set rules based on the resolution in CheckCanChangeField.
$::FORM{'resolution'} = $str;
......@@ -761,18 +765,6 @@ if (Param("usebugaliases") && defined($::FORM{'alias'})) {
if (defined $::FORM{'qa_contact'}) {
my $name = trim($::FORM{'qa_contact'});
if ($name ne $::FORM{'dontchange'}) {
my $id = 0;
if ($name ne "") {
$id = DBNameToIdAndCheck($name);
$::query .= "qa_contact = $id";
# time tracking data processing:
if (UserInGroup(Param('timetrackinggroup'))) {
foreach my $field ("estimated_time", "remaining_time") {
......@@ -874,6 +866,26 @@ if (defined $::FORM{newcc} || defined $::FORM{removecc} || defined $::FORM{massc
# Store the new assignee and QA contact IDs (if any). This is the
# only way to keep these informations when bugs are reassigned by
# component as $::FORM{'assigned_to'} and $::FORM{'qa_contact'}
# are not the right fields to look at.
my $assignee;
my $qacontact;
if (defined $::FORM{'qa_contact'}
&& $::FORM{'knob'} ne "reassignbycomponent")
$qacontact = 0;
my $name = trim($::FORM{'qa_contact'});
# The QA contact cannot be deleted from show_bug.cgi for a single bug!
if ($name ne $::FORM{'dontchange'}) {
$qacontact = DBNameToIdAndCheck($name) if ($name ne "");
$::query .= "qa_contact = $qacontact";
CheckFormFieldDefined(\%::FORM, 'knob');
SWITCH: for ($::FORM{'knob'}) {
......@@ -907,9 +919,13 @@ SWITCH: for ($::FORM{'knob'}) {
# Check here, because its the only place we require the resolution
CheckFormField(\%::FORM, 'resolution', \@::settable_resolution);
# don't resolve as fixed while still unresolved blocking bugs
if (Param("noresolveonopenblockers") && ($::FORM{'resolution'} eq 'FIXED')) {
if (Param("noresolveonopenblockers")
&& $::FORM{'resolution'} eq 'FIXED')
my @dependencies = CountOpenDependencies(@idlist);
if (scalar @dependencies > 0) {
......@@ -917,9 +933,6 @@ SWITCH: for ($::FORM{'knob'}) {
dependency_count => scalar @dependencies });
# Check here, because its the only place we require the resolution
CheckFormField(\%::FORM, 'resolution', \@::settable_resolution);
last SWITCH;
......@@ -930,12 +943,13 @@ SWITCH: for ($::FORM{'knob'}) {
if (!defined$::FORM{'assigned_to'} ||
trim($::FORM{'assigned_to'}) eq "") {
if (!defined $::FORM{'assigned_to'}
|| trim($::FORM{'assigned_to'}) eq "")
my $newid = DBNameToIdAndCheck(trim($::FORM{'assigned_to'}));
$::query .= "assigned_to = $newid";
$assignee = DBNameToIdAndCheck(trim($::FORM{'assigned_to'}));
$::query .= "assigned_to = $assignee";
last SWITCH;
/^reassignbycomponent$/ && CheckonComment( "reassignbycomponent" ) && do {
......@@ -951,14 +965,13 @@ SWITCH: for ($::FORM{'knob'}) {
SendSQL("SELECT initialowner FROM components " .
"WHERE = $comp_id");
my $newid = FetchOneColumn();
$assignee = FetchOneColumn();
$::query .= "assigned_to = $newid";
$::query .= "assigned_to = $assignee";
if (Param("useqacontact")) {
SendSQL("SELECT initialqacontact FROM components " .
"WHERE = $comp_id");
my $qacontact = FetchOneColumn();
$qacontact = 0 unless (defined $qacontact && $qacontact != 0);
$qacontact = FetchOneColumn() || 0;
$::query .= "qa_contact = $qacontact";
......@@ -1130,8 +1143,6 @@ foreach my $id (@idlist) {
"group_control_map AS oldcontrolmap READ, " .
"group_control_map AS newcontrolmap READ, " .
"group_control_map READ");
my @oldvalues = SnapShotBug($id);
my %oldhash;
# Fun hack. @::log_columns only contains the component_id,
# not the name (since bug 43600 got fixed). So, we need to have
# this id ready for the loop below, otherwise anybody can
......@@ -1144,31 +1155,58 @@ foreach my $id (@idlist) {
get_component_id($product_id, $::FORM{'component'});
# It may sound crazy to set %formhash for each bug as $::FORM{}
# will not change, but %formhash is modified below and we prefer
# to set it again.
my $i = 0;
my @oldvalues = SnapShotBug($id);
my %oldhash;
my %formhash;
foreach my $col (@::log_columns) {
# Consider NULL db entries to be equivalent to the empty string
$oldvalues[$i] = '' unless defined($oldvalues[$i]);
$oldvalues[$i] = '' unless defined $oldvalues[$i];
$oldhash{$col} = $oldvalues[$i];
if (exists $::FORM{$col}) {
if (!CheckCanChangeField($col, $id, $oldvalues[$i], $::FORM{$col})) {
# More fun hacking... don't display component_id
$formhash{$col} = $::FORM{$col} if defined $::FORM{$col};
# If the user is reassigning bugs, we need to:
# - convert $newhash{'assigned_to'} and $newhash{'qa_contact'}
# email addresses into their corresponding IDs;
# - update $newhash{'bug_status'} to its real state if the bug
# is in the unconfirmed state.
$formhash{'qa_contact'} = $qacontact if Param('useqacontact');
if ($::FORM{'knob'} eq 'reassignbycomponent'
|| $::FORM{'knob'} eq 'reassign')
$formhash{'assigned_to'} = $assignee;
if ($oldhash{'bug_status'} eq $::unconfirmedstate) {
$formhash{'bug_status'} = $oldhash{'bug_status'};
foreach my $col (@::log_columns) {
if (exists $formhash{$col}
&& !CheckCanChangeField($col, $id, $oldhash{$col}, $formhash{$col}))
my $vars;
if ($col eq 'component_id') {
$vars->{'oldvalue'} =
# Display the component name
$vars->{'oldvalue'} = get_component_name($oldhash{$col});
$vars->{'newvalue'} = $::FORM{'component'};
$vars->{'field'} = 'component';
else {
$vars->{'oldvalue'} = $oldvalues[$i];
$vars->{'newvalue'} = $::FORM{$col};
} elsif ($col eq 'assigned_to' || $col eq 'qa_contact') {
# Display the assignee or QA contact email address
$vars->{'oldvalue'} = DBID_to_name($oldhash{$col});
$vars->{'newvalue'} = DBID_to_name($formhash{$col});
$vars->{'field'} = $col;
} else {
$vars->{'oldvalue'} = $oldhash{$col};
$vars->{'newvalue'} = $formhash{$col};
$vars->{'field'} = $col;
$vars->{'privs'} = $PrivilegesRequired;
ThrowUserError("illegal_change", $vars, "abort");
# When editing multiple bugs, users can specify a list of keywords to delete
# from bugs. If the list matches the current set of keywords on those bugs,
......@@ -1184,6 +1222,7 @@ foreach my $id (@idlist) {
$vars->{'oldvalue'} = $oldhash{keywords};
$vars->{'newvalue'} = "no keywords";
$vars->{'field'} = "keywords";
$vars->{'privs'} = $PrivilegesRequired;
ThrowUserError("illegal_change", $vars, "abort");
......@@ -187,6 +187,7 @@ function set_assign_to() {
[% INCLUDE global/userselect.html.tmpl
name => "assigned_to"
value => assigned_to
disabled => assigned_to_disabled
size => 32
emptyok => 1
......@@ -200,6 +201,7 @@ function set_assign_to() {
[% INCLUDE global/userselect.html.tmpl
name => "cc"
value => cc
disabled => cc_disabled
size => 45
emptyok => 1
multiple => 5
......@@ -43,9 +43,8 @@
[% knum = knum + 1 %]
[% END %]
[% IF bug.user.canedit %]
[% IF bug.isopened %]
[% IF bug.bug_status != "ASSIGNED" && bug.user.canconfirm %]
[% IF bug.isopened && bug.bug_status != "ASSIGNED" && bug.user.canedit
&& (!bug.isunconfirmed || bug.user.canconfirm) %]
<input type="radio" id="knob-accept" name="knob" value="accept">
<label for="knob-accept">
Accept [% terms.bug %] (
......@@ -56,6 +55,8 @@
[% knum = knum + 1 %]
[% END %]
[% IF bug.user.canedit || bug.user.isreporter %]
[% IF bug.isopened %]
[% IF bug.resolution %]
<input type="radio" id="knob-clear" name="knob" value="clearresolution">
<label for="knob-clear">
......@@ -90,6 +91,7 @@
[% knum = knum + 1 %]
[% IF bug.user.canedit %]
<input type="radio" id="knob-reassign" name="knob" value="reassign">
<label for="knob-reassign">
<a href="page.cgi?id=fields.html#assigned_to">Reassign</a>
......@@ -129,6 +131,7 @@
[% END %]
[% knum = knum + 1 %]
[% END %]
[% ELSE %]
[% IF bug.resolution != "MOVED" ||
(bug.resolution == "MOVED" && bug.user.canmove) %]
......@@ -436,9 +436,13 @@
You tried to change the
<strong>[% field_descs.$field FILTER html %]</strong> field
from <em>[% oldvalue FILTER html %]</em> to
<em>[% newvalue FILTER html %]</em>,
but only the owner or submitter of the [% terms.bug %], or a
sufficiently empowered user, may change that field.
<em>[% newvalue FILTER html %]</em>, but only
[% IF privs < 3 %]
the owner
[% IF privs < 2 %] or reporter [% END %]
of the [% terms.bug %], or
[% END %]
a sufficiently empowered user may change that field.
[% ELSIF error == "illegal_changed_in_last_x_days" %]
[% title = "Your Search Makes No Sense" %]
......@@ -20,6 +20,7 @@
# name: mandatory; field name
# value: optional; default field value/selection
# onchange: optional; onchange attribute value
# disabled: optional; if true, the field is disabled
# accesskey: optional, input only; accesskey attribute value
# size: optional, input only; size attribute value
# emptyok: optional, select only; if true, prepend menu option to start of select
......@@ -30,6 +31,7 @@
[% IF Param("usemenuforusers") %]
<select name="[% name FILTER html %]"
[% IF onchange %] onchange="[% onchange FILTER html %]" [% END %]
[% IF disabled %] disabled="[% disabled FILTER html %]" [% END %]
[% IF accesskey %] accesskey="[% accesskey FILTER html %]" [% END %]
[% IF multiple %] multiple="multiple" size="[% multiple FILTER html %]" [% END %]
......@@ -48,9 +50,10 @@
name="[% name FILTER html %]"
value="[% value FILTER html %]"
[% IF onchange %] onchange="[% onchange FILTER html %]" [% END %]
[% IF disabled %] disabled="[% disabled FILTER html %]" [% END %]
[% IF accesskey %] accesskey="[% accesskey FILTER html %]" [% END %]
[% IF size %] size="[% size FILTER html %]" [% END %]
[% IF onchange %] onchange="[% onchange FILTER html %]" [% END %]
[% END %]
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment