Skip to content

bugzilla
bugzilla
Commit 6d7c379c authored by Dave Lawrence's avatar Dave Lawrence
Browse files
Options

Bug 864625 - Setting a non-privileged user as a requestee on a secure bug while…

Bug 864625 - Setting a non-privileged user as a requestee on a secure bug while ccing the same user to give access at the same r=LpSolit,a=sgreen
parent d8ee22ef
Hide whitespace changes
Inline Side-by-side
Showing with 14 additions and 6 deletions
Bugzilla/Flag.pm
View file @ 6d7c379c
...@@ -397,7 +397,7 @@ sub _validate { ...@@ -397,7 +397,7 @@ sub _validate {
my $old_requestee_id = $obj_flag->requestee_id; my $old_requestee_id = $obj_flag->requestee_id;
$obj_flag->_set_status($params->{status}); $obj_flag->_set_status($params->{status});
$obj_flag->_set_requestee($params->{requestee}, $attachment, $params->{skip_roe}); $obj_flag->_set_requestee($params->{requestee}, $bug, $attachment, $params->{skip_roe});
# The requestee ID can be undefined. # The requestee ID can be undefined.
my $requestee_changed = ($obj_flag->requestee_id || 0) != ($old_requestee_id || 0); my $requestee_changed = ($obj_flag->requestee_id || 0) != ($old_requestee_id || 0);
...@@ -623,10 +623,10 @@ sub force_retarget { ...@@ -623,10 +623,10 @@ sub force_retarget {
############################### ###############################
sub _set_requestee { sub _set_requestee {
my ($self, $requestee, $attachment, $skip_requestee_on_error) = @_; my ($self, $requestee, $bug, $attachment, $skip_requestee_on_error) = @_;
$self->{requestee} = $self->{requestee} =
$self->_check_requestee($requestee, $attachment, $skip_requestee_on_error); $self->_check_requestee($requestee, $bug, $attachment, $skip_requestee_on_error);
$self->{requestee_id} = $self->{requestee_id} =
$self->{requestee} ? $self->{requestee}->id : undef; $self->{requestee} ? $self->{requestee}->id : undef;
...@@ -648,7 +648,7 @@ sub _set_status { ...@@ -648,7 +648,7 @@ sub _set_status {
} }
sub _check_requestee { sub _check_requestee {
my ($self, $requestee, $attachment, $skip_requestee_on_error) = @_; my ($self, $requestee, $bug, $attachment, $skip_requestee_on_error) = @_;
# If the flag status is not "?", then no requestee can be defined. # If the flag status is not "?", then no requestee can be defined.
return undef if ($self->status ne '?'); return undef if ($self->status ne '?');
...@@ -680,8 +680,16 @@ sub _check_requestee { ...@@ -680,8 +680,16 @@ sub _check_requestee {
# Note that can_see_bug() will query the DB, so if the bug # Note that can_see_bug() will query the DB, so if the bug
# is being added/removed from some groups and these changes # is being added/removed from some groups and these changes
# haven't been committed to the DB yet, they won't be taken # haven't been committed to the DB yet, they won't be taken
# into account here. In this case, old restrictions matters. # into account here. In this case, old group restrictions matter.
if (!$requestee->can_see_bug($self->bug_id)) { # However, if the user has just been changed to the assignee,
# qa_contact, or added to the cc list of the bug and the bug
# is cclist_accessible, the requestee is allowed.
if (!$requestee->can_see_bug($self->bug_id)
&& (!$bug->cclist_accessible
|| !grep($_->id == $requestee->id, @{ $bug->cc_users })
&& $requestee->id != $bug->assigned_to->id
&& (!$bug->qa_contact || $requestee->id != $bug->qa_contact->id)))
{
if ($skip_requestee_on_error) { if ($skip_requestee_on_error) {
undef $requestee; undef $requestee;
} }
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment