Bug 266579 : Users without privs can confirm bugs by assigning to themselves…

Bugzilla/Bug.pm

@@ -404,20 +404,22 @@ sub user {
     # Display everything as if they have all the permissions in the
     # world; their permissions will get checked when they log in and
     # actually try to make the change.
-    my $privileged = (!Bugzilla->user->id)
-                     || Bugzilla->user->in_group("editbugs")
-                     || Bugzilla->user->id == $self->{'assigned_to'}{'id'}
-                     || (Param('useqacontact') && $self->{'qa_contact'} &&
-                         Bugzilla->user->id == $self->{'qa_contact'}{'id'});
-    my $isreporter = Bugzilla->user->id && 
-                     Bugzilla->user->id == $self->{'reporter'}{'id'};
-
-    my $canedit = $privileged || $isreporter;
-    my $canconfirm = $privileged || Bugzilla->user->in_group("canconfirm");
-
-    $self->{'user'} = {canmove    => $canmove, 
-                       canconfirm => $canconfirm, 
-                       canedit    => $canedit,};
+    my $unknown_privileges = !Bugzilla->user->id
+                             || Bugzilla->user->in_group("editbugs");
+    my $canedit = $unknown_privileges
+                  || Bugzilla->user->id == $self->{'assigned_to'}{'id'}
+                  || (Param('useqacontact')
+                      && $self->{'qa_contact'}
+                      && Bugzilla->user->id == $self->{'qa_contact'}{'id'});
+    my $canconfirm = $unknown_privileges
+                     || Bugzilla->user->in_group("canconfirm");
+    my $isreporter = Bugzilla->user->id
+                     && Bugzilla->user->id == $self->{'reporter'}{'id'};
+
+    $self->{'user'} = {canmove    => $canmove,
+                       canconfirm => $canconfirm,
+                       canedit    => $canedit,
+                       isreporter => $isreporter};
     return $self->{'user'};
 }
 

enter_bug.cgi

@@ -317,7 +317,11 @@ $vars->{'component_'} = \@components;
 $default{'component_'} = formvalue('component');
 
 $vars->{'assigned_to'} = formvalue('assigned_to');
+$vars->{'assigned_to_disabled'} = !UserInGroup('editbugs');
+
 $vars->{'cc'} = formvalue('cc');
+$vars->{'cc_disabled'} = 0;
+
 $vars->{'product'} = $product;
 $vars->{'bug_file_loc'} = formvalue('bug_file_loc', "http://");
 $vars->{'short_desc'} = formvalue('short_desc');

post_bug.cgi

@@ -130,7 +130,7 @@ my $sql_product = SqlQuote($::FORM{'product'});
 my $sql_component = SqlQuote($::FORM{'component'});
 
 # Default assignee is the component owner.
-if ($::FORM{'assigned_to'} eq "") {
+if (!UserInGroup("editbugs") || $::FORM{'assigned_to'} eq "") {
     SendSQL("SELECT initialowner FROM components " .
             "WHERE id = $component_id");
     $::FORM{'assigned_to'} = FetchOneColumn();

template/en/default/bug/create/create.html.tmpl

@@ -187,6 +187,7 @@ function set_assign_to() {
       [% INCLUDE global/userselect.html.tmpl
          name => "assigned_to"
          value => assigned_to
+         disabled => assigned_to_disabled
          size => 32
          emptyok => 1
        %]
@@ -200,6 +201,7 @@ function set_assign_to() {
       [% INCLUDE global/userselect.html.tmpl
          name => "cc"
          value => cc
+         disabled => cc_disabled
          size => 45
          emptyok => 1
          multiple => 5

template/en/default/bug/knob.html.tmpl

@@ -43,19 +43,20 @@
     [% knum = knum + 1 %]
   [% END %]
 
-  [% IF bug.user.canedit %]
-    [% IF bug.isopened %]
-      [% IF bug.bug_status != "ASSIGNED" && bug.user.canconfirm %]
-        <input type="radio" id="knob-accept" name="knob" value="accept">
-        <label for="knob-accept">
-          Accept [% terms.bug %] (
-          [% IF bug.isunconfirmed %]confirm [% terms.bug %], [% END %]change
-          status to <b>ASSIGNED</b>)
-        </label>
-        <br>
-        [% knum = knum + 1 %]
-      [% END %]
+  [% IF bug.isopened && bug.bug_status != "ASSIGNED" && bug.user.canedit
+        && (!bug.isunconfirmed || bug.user.canconfirm) %]
+    <input type="radio" id="knob-accept" name="knob" value="accept">
+    <label for="knob-accept">
+      Accept [% terms.bug %] (
+      [% IF bug.isunconfirmed %]confirm [% terms.bug %], [% END %]change
+      status to <b>ASSIGNED</b>)
+    </label>
+    <br>
+    [% knum = knum + 1 %]
+  [% END %]
 
+  [% IF bug.user.canedit || bug.user.isreporter %]
+    [% IF bug.isopened %]
       [% IF bug.resolution %]
         <input type="radio" id="knob-clear" name="knob" value="clearresolution">
         <label for="knob-clear">
@@ -90,45 +91,47 @@
       <br>
       [% knum = knum + 1 %]
 
-      <input type="radio" id="knob-reassign" name="knob" value="reassign">
-      <label for="knob-reassign">
-        <a href="page.cgi?id=fields.html#assigned_to">Reassign</a> 
-        [% terms.bug %] to
-      </label>
-      [% safe_assigned_to = FILTER js; bug.assigned_to.login; END %]
-      [% INCLUDE global/userselect.html.tmpl
-           name => "assigned_to"
-           value => bug.assigned_to.login
-           size => 32
-           onchange => "if ((this.value != '$safe_assigned_to') && (this.value != '')) {
-                          document.changeform.knob[$knum].checked=true;
-                        }"
-      %]
-      <br>
-      [% IF bug.isunconfirmed && bug.user.canconfirm %]
-        &nbsp;&nbsp;&nbsp;&nbsp;<input type="checkbox" id="andconfirm" name="andconfirm">
-        <label for="andconfirm">
-          and confirm [% terms.bug %] (change status to <b>NEW</b>)
+      [% IF bug.user.canedit %]
+        <input type="radio" id="knob-reassign" name="knob" value="reassign">
+        <label for="knob-reassign">
+          <a href="page.cgi?id=fields.html#assigned_to">Reassign</a> 
+          [% terms.bug %] to
         </label>
+        [% safe_assigned_to = FILTER js; bug.assigned_to.login; END %]
+        [% INCLUDE global/userselect.html.tmpl
+             name => "assigned_to"
+             value => bug.assigned_to.login
+             size => 32
+             onchange => "if ((this.value != '$safe_assigned_to') && (this.value != '')) {
+                               document.changeform.knob[$knum].checked=true;
+                          }"
+        %]
         <br>
-      [% END %]
-      [% knum = knum + 1 %]
+        [% IF bug.isunconfirmed && bug.user.canconfirm %]
+          &nbsp;&nbsp;&nbsp;&nbsp;<input type="checkbox" id="andconfirm" name="andconfirm">
+          <label for="andconfirm">
+            and confirm [% terms.bug %] (change status to <b>NEW</b>)
+          </label>
+          <br>
+        [% END %]
+        [% knum = knum + 1 %]
 
-      <input type="radio" id="knob-reassign-cmp" name="knob" value="reassignbycomponent">
-      <label for="knob-reassign-cmp">
-        Reassign [% terms.bug %] to owner
-        [% " and QA contact" IF Param('useqacontact') %]
-        of selected component
-      </label>
-      <br>
-      [% IF bug.isunconfirmed && bug.user.canconfirm %]
-        &nbsp;&nbsp;&nbsp;&nbsp;<input type="checkbox" id="compconfirm" name="compconfirm">
-        <label for="compconfirm">
-          and confirm [% terms.bug %] (change status to <b>NEW</b>)
+        <input type="radio" id="knob-reassign-cmp" name="knob" value="reassignbycomponent">
+        <label for="knob-reassign-cmp">
+          Reassign [% terms.bug %] to owner
+          [% " and QA contact" IF Param('useqacontact') %]
+          of selected component
         </label>
         <br>
+        [% IF bug.isunconfirmed && bug.user.canconfirm %]
+          &nbsp;&nbsp;&nbsp;&nbsp;<input type="checkbox" id="compconfirm" name="compconfirm">
+          <label for="compconfirm">
+            and confirm [% terms.bug %] (change status to <b>NEW</b>)
+          </label>
+          <br>
+        [% END %]
+        [% knum = knum + 1 %]
       [% END %]
-      [% knum = knum + 1 %]
     [% ELSE %]
       [% IF bug.resolution != "MOVED" ||
            (bug.resolution == "MOVED" && bug.user.canmove) %]

template/en/default/global/user-error.html.tmpl

@@ -436,10 +436,14 @@
     You tried to change the 
     <strong>[% field_descs.$field FILTER html %]</strong> field 
     from <em>[% oldvalue FILTER html %]</em> to 
-    <em>[% newvalue FILTER html %]</em>, 
-    but only the owner or submitter of the [% terms.bug %], or a 
-    sufficiently empowered user, may change that field.
-  
+    <em>[% newvalue FILTER html %]</em>, but only
+    [% IF privs < 3 %]
+      the owner
+      [% IF privs < 2 %] or reporter [% END %]
+      of the [% terms.bug %], or
+    [% END %]
+    a sufficiently empowered user may change that field.
+
   [% ELSIF error == "illegal_changed_in_last_x_days" %]
     [% title = "Your Search Makes No Sense" %]
     The <em>Changed in last ___ days</em> field must be a simple number. 

template/en/default/global/userselect.html.tmpl

@@ -20,6 +20,7 @@
   # name: mandatory; field name
   # value: optional; default field value/selection
   # onchange: optional; onchange attribute value
+  # disabled: optional; if true, the field is disabled
   # accesskey: optional, input only; accesskey attribute value
   # size: optional, input only; size attribute value
   # emptyok: optional, select only;  if true, prepend menu option to start of select
@@ -30,6 +31,7 @@
 [% IF Param("usemenuforusers") %]
 <select name="[% name FILTER html %]"
   [% IF onchange %] onchange="[% onchange FILTER html %]" [% END %]
+  [% IF disabled %] disabled="[% disabled FILTER html %]" [% END %]
   [% IF accesskey %] accesskey="[% accesskey FILTER html %]" [% END %]
   [% IF multiple %] multiple="multiple" size="[% multiple FILTER html %]" [% END %]
 >
@@ -48,9 +50,10 @@
 <input
   name="[% name FILTER html %]"
   value="[% value FILTER html %]"
+  [% IF onchange %] onchange="[% onchange FILTER html %]" [% END %]
+  [% IF disabled %] disabled="[% disabled FILTER html %]" [% END %]
   [% IF accesskey %] accesskey="[% accesskey FILTER html %]" [% END %]
   [% IF size %] size="[% size FILTER html %]" [% END %]
-  [% IF onchange %] onchange="[% onchange FILTER html %]" [% END %]
 >
 [% END %]