Bug 266579 : Users without privs can confirm bugs by assigning to themselves…

Bug 266579 : Users without privs can confirm bugs by assigning to themselves first, without having canconfirm privs Patch by LpSolit@gmail.com r=myk a=justdave

Bug 266579 : Users without privs can confirm bugs by assigning to themselves…
4f4c25bb · travis%sedsystems.ca · 61a49f22 · 4f4c25bb · 4f4c25bb · 4f4c25bb
Commit 4f4c25bb authored Jan 21, 2005 by travis%sedsystems.ca
8 changed files
--- a/Bugzilla/Bug.pm
+++ b/Bugzilla/Bug.pm
@@ -404,20 +404,22 @@ sub user {
    # Display everything as if they have all the permissions in the
    # world; their permissions will get checked when they log in and
    # actually try to make the change.
-    my $privileged = (!Bugzilla->user->id)
-                     || Bugzilla->user->in_group("editbugs")
+    my $unknown_privileges = !Bugzilla->user->id
+                             || Bugzilla->user->in_group("editbugs");
+    my $canedit = $unknown_privileges
                  || Bugzilla->user->id == $self->{'assigned_to'}{'id'}
-                     || (Param('useqacontact') && $self->{'qa_contact'} &&
-                         Bugzilla->user->id == $self->{'qa_contact'}{'id'});
-    my $isreporter = Bugzilla->user->id && 
-                     Bugzilla->user->id == $self->{'reporter'}{'id'};
-
-    my $canedit = $privileged || $isreporter;
-    my $canconfirm = $privileged || Bugzilla->user->in_group("canconfirm");
+                  || (Param('useqacontact')
+                      && $self->{'qa_contact'}
+                      && Bugzilla->user->id == $self->{'qa_contact'}{'id'});
+    my $canconfirm = $unknown_privileges
+                     || Bugzilla->user->in_group("canconfirm");
+    my $isreporter = Bugzilla->user->id
+                     && Bugzilla->user->id == $self->{'reporter'}{'id'};

    $self->{'user'} = {canmove    => $canmove,
                       canconfirm => $canconfirm,
-                       canedit    => $canedit,};
+                       canedit    => $canedit,
+                       isreporter => $isreporter};
    return $self->{'user'};
 }


--- a/enter_bug.cgi
+++ b/enter_bug.cgi
@@ -317,7 +317,11 @@ $vars->{'component_'} = \@components;
 $default{'component_'} = formvalue('component');

 $vars->{'assigned_to'} = formvalue('assigned_to');
+$vars->{'assigned_to_disabled'} = !UserInGroup('editbugs');
+
 $vars->{'cc'} = formvalue('cc');
+$vars->{'cc_disabled'} = 0;
+
 $vars->{'product'} = $product;
 $vars->{'bug_file_loc'} = formvalue('bug_file_loc', "http://");
 $vars->{'short_desc'} = formvalue('short_desc');

--- a/post_bug.cgi
+++ b/post_bug.cgi
@@ -130,7 +130,7 @@ my $sql_product = SqlQuote($::FORM{'product'});
 my $sql_component = SqlQuote($::FORM{'component'});

 # Default assignee is the component owner.
-if ($::FORM{'assigned_to'} eq "") {
+if (!UserInGroup("editbugs") || $::FORM{'assigned_to'} eq "") {
    SendSQL("SELECT initialowner FROM components " .
            "WHERE id = $component_id");
    $::FORM{'assigned_to'} = FetchOneColumn();

--- a/process_bug.cgi
+++ b/process_bug.cgi
--- a/template/en/default/bug/create/create.html.tmpl
+++ b/template/en/default/bug/create/create.html.tmpl
@@ -187,6 +187,7 @@ function set_assign_to() {
      [% INCLUDE global/userselect.html.tmpl
         name => "assigned_to"
         value => assigned_to
+         disabled => assigned_to_disabled
         size => 32
         emptyok => 1
       %]
@@ -200,6 +201,7 @@ function set_assign_to() {
      [% INCLUDE global/userselect.html.tmpl
         name => "cc"
         value => cc
+         disabled => cc_disabled
         size => 45
         emptyok => 1
         multiple => 5

--- a/template/en/default/bug/knob.html.tmpl
+++ b/template/en/default/bug/knob.html.tmpl
@@ -43,9 +43,8 @@
    [% knum = knum + 1 %]
  [% END %]

-  [% IF bug.user.canedit %]
-    [% IF bug.isopened %]
-      [% IF bug.bug_status != "ASSIGNED" && bug.user.canconfirm %]
+  [% IF bug.isopened && bug.bug_status != "ASSIGNED" && bug.user.canedit
+        && (!bug.isunconfirmed || bug.user.canconfirm) %]
    <input type="radio" id="knob-accept" name="knob" value="accept">
    <label for="knob-accept">
      Accept [% terms.bug %] (
@@ -56,6 +55,8 @@
    [% knum = knum + 1 %]
  [% END %]

+  [% IF bug.user.canedit || bug.user.isreporter %]
+    [% IF bug.isopened %]
      [% IF bug.resolution %]
        <input type="radio" id="knob-clear" name="knob" value="clearresolution">
        <label for="knob-clear">
@@ -90,6 +91,7 @@
      <br>
      [% knum = knum + 1 %]

+      [% IF bug.user.canedit %]
        <input type="radio" id="knob-reassign" name="knob" value="reassign">
        <label for="knob-reassign">
          <a href="page.cgi?id=fields.html#assigned_to">Reassign</a> 
@@ -129,6 +131,7 @@
          <br>
        [% END %]
        [% knum = knum + 1 %]
+      [% END %]
    [% ELSE %]
      [% IF bug.resolution != "MOVED" ||
           (bug.resolution == "MOVED" && bug.user.canmove) %]

--- a/template/en/default/global/user-error.html.tmpl
+++ b/template/en/default/global/user-error.html.tmpl
@@ -436,9 +436,13 @@
    You tried to change the 
    <strong>[% field_descs.$field FILTER html %]</strong> field 
    from <em>[% oldvalue FILTER html %]</em> to 
-    <em>[% newvalue FILTER html %]</em>, 
-    but only the owner or submitter of the [% terms.bug %], or a 
-    sufficiently empowered user, may change that field.
+    <em>[% newvalue FILTER html %]</em>, but only
+    [% IF privs < 3 %]
+      the owner
+      [% IF privs < 2 %] or reporter [% END %]
+      of the [% terms.bug %], or
+    [% END %]
+    a sufficiently empowered user may change that field.

  [% ELSIF error == "illegal_changed_in_last_x_days" %]
    [% title = "Your Search Makes No Sense" %]

--- a/template/en/default/global/userselect.html.tmpl
+++ b/template/en/default/global/userselect.html.tmpl
@@ -20,6 +20,7 @@
  # name: mandatory; field name
  # value: optional; default field value/selection
  # onchange: optional; onchange attribute value
+  # disabled: optional; if true, the field is disabled
  # accesskey: optional, input only; accesskey attribute value
  # size: optional, input only; size attribute value
  # emptyok: optional, select only;  if true, prepend menu option to start of select
@@ -30,6 +31,7 @@
 [% IF Param("usemenuforusers") %]
 <select name="[% name FILTER html %]"
  [% IF onchange %] onchange="[% onchange FILTER html %]" [% END %]
+  [% IF disabled %] disabled="[% disabled FILTER html %]" [% END %]
  [% IF accesskey %] accesskey="[% accesskey FILTER html %]" [% END %]
  [% IF multiple %] multiple="multiple" size="[% multiple FILTER html %]" [% END %]
 >
@@ -48,9 +50,10 @@
 <input
  name="[% name FILTER html %]"
  value="[% value FILTER html %]"
+  [% IF onchange %] onchange="[% onchange FILTER html %]" [% END %]
+  [% IF disabled %] disabled="[% disabled FILTER html %]" [% END %]
  [% IF accesskey %] accesskey="[% accesskey FILTER html %]" [% END %]
  [% IF size %] size="[% size FILTER html %]" [% END %]
-  [% IF onchange %] onchange="[% onchange FILTER html %]" [% END %]
 >
 [% END %]