Bug 28849: Block users from CCing other users if they do not have editbugs privs

r=LpSolit, a=LpSolit

Bug 28849: Block users from CCing other users if they do not have editbugs privs
80433668 · Byron Jones · 12a41578 · 80433668 · 80433668 · 80433668
Commit 80433668 authored May 10, 2011 by Byron Jones
Hide whitespace changes
Inline Side-by-side

Showing with 21 additions and 3 deletions

Bug.pm Bugzilla/Bug.pm +4 -0

edit.html.tmpl template/en/default/bug/edit.html.tmpl +13 -3

user-error.html.tmpl template/en/default/global/user-error.html.tmpl +4 -0

No files found.
--- a/Bugzilla/Bug.pm
+++ b/Bugzilla/Bug.pm
@@ -2658,6 +2658,10 @@ sub remove_cc {
    my ($self, $user_or_name) = @_;
    my $user = ref $user_or_name ? $user_or_name
                                 : Bugzilla::User->check($user_or_name);
+    my $currentUser = Bugzilla->user;
+    if (!$self->user->{'canedit'} && $user->id != $currentUser->id) {
+        ThrowUserError('cc_remove_denied');
+    }
    my $cc_users = $self->cc_users;
    @$cc_users = grep { $_->id != $user->id } @$cc_users;
 }

--- a/template/en/default/bug/edit.html.tmpl
+++ b/template/en/default/bug/edit.html.tmpl
@@ -830,16 +830,26 @@
            </div>
          [% END %]
          [% IF bug.cc %]
-            <select id="cc" name="cc" multiple="multiple" size="5">
+            <select id="cc" multiple="multiple" size="5"
+              [% IF bug.user.canedit %]name="cc"[% END %]>
              [% FOREACH c = bug.cc %]
                <option value="[% c FILTER email FILTER html %]">
                  [% c FILTER email FILTER html %]</option>
              [% END %]
            </select>
-            [% IF user.id %]
+            [% IF user.id && !bug.user.canedit %]
+              <input type="hidden" name="cc" value="[% user.login FILTER email FILTER html %]">
+            [% END %]
+            [% IF user.id AND (bug.user.canedit OR bug.cc.contains(user.login)) %]
              <br>
              <input type="checkbox" id="removecc" name="removecc">
-              [%%]<label for="removecc">Remove selected CCs</label>
+              <label for="removecc">
+                [% IF bug.user.canedit %]
+                  Remove selected CCs
+                [% ELSE %]
+                  Remove me from the CC list
+                [% END %]
+              </label>
              <br>
            [% END %]
          [% END %]

--- a/template/en/default/global/user-error.html.tmpl
+++ b/template/en/default/global/user-error.html.tmpl
@@ -280,6 +280,10 @@
                    'query.html#list' => "$terms.Bug lists"} %]
    You may not search, or create saved searches, without any search terms.
+  [% ELSIF error == "cc_remove_denied" %]
+    [% title = "Change Denied" %]
+    You do not have permission to remove other people from the CC list.
  [% ELSIF error == "chart_too_large" %]
    [% title = "Chart Too Large" %]
    Sorry, but 2000 x 2000 is the maximum size for a chart.