Bug 121576: fields should not be editable when viewing a bug if the user is not logged in

Bugzilla/Bug.pm

@@ -1192,14 +1192,7 @@ sub user {
     my $user = Bugzilla->user;
     my $canmove = Bugzilla->params->{'move-enabled'} && $user->is_mover;
 
-    # In the below, if the person hasn't logged in, then we treat them
-    # as if they can do anything.  That's because we don't know why they
-    # haven't logged in; it may just be because they don't use cookies.
-    # Display everything as if they have all the permissions in the
-    # world; their permissions will get checked when they log in and
-    # actually try to make the change.
-    my $unknown_privileges = !$user->id
-                             || $user->in_group("editbugs");
+    my $unknown_privileges = $user->in_group("editbugs");
     my $canedit = $unknown_privileges
                   || $user->id == $self->{assigned_to_id}
                   || (Bugzilla->params->{'useqacontact'}

template/en/default/bug/edit.html.tmpl

@@ -20,6 +20,7 @@
   #                 Vaskin Kissoyan <vkissoyan@yahoo.com>
   #                 Max Kanat-Alexander <mkanat@bugzilla.org>
   #                 Frédéric Buclin <LpSolit@gmail.com>
+  #                 Olav Vitters <olav@bkor.dhs.org>
   #%]
 
 [% PROCESS global/variables.none.tmpl %]
@@ -215,7 +216,7 @@
               [% FOREACH field = fields %]
                 <tr>
                   [% PROCESS bug/field.html.tmpl value=bug.${field.name}
-                                                 editable = bug.check_can_change_field(field.name, 0, 1) || !user.id
+                                                 editable = bug.check_can_change_field(field.name, 0, 1)
                                                  value_span = 2 %]
                 </tr>
               [% END %]
@@ -262,11 +263,23 @@
           <table cellspacing="1" cellpadding="1">
             <tr>
               <td colspan="2" valign="top">
+                [% IF user.id %]
                   [% IF bug.flag_types.size > 0 %]
                     [% PROCESS "flag/list.html.tmpl" flag_no_header = 1
                                                      flag_types = bug.flag_types
                                                      any_flags_requesteeble = bug.any_flags_requesteeble %]
                   [% END %]
+                [% ELSE %]
+                  [% FOREACH type = bug.flag_types %]
+                    [% FOREACH flag = type.flags %]
+                        [% flag.setter.nick FILTER html %]:
+                        [%+ type.name FILTER html FILTER no_break %][% flag.status %]
+                        [%+ IF flag.requestee %]
+                          ([% flag.requestee.nick FILTER html %])
+                        [% END %]<br>
+                    [% END %]
+                  [% END %]
+                [% END %]
               </td>
             </tr>
           </table>
@@ -362,6 +375,7 @@
   <br>
   <table cellpadding="1" cellspacing="1">
     <tr>
+      [% IF user.id %]
         <td>
           <label for="comment" accesskey="c"><b>Additional <u>C</u>omments</b></label>:
           [% IF Param("insidergroup") && user.in_group(Param("insidergroup")) %]
@@ -396,6 +410,7 @@
             <label for="addselfcc">Add [% user.identity FILTER html %] to CC list</label>
           [% END %]
         </td>
+      [% END %]
 
       <td valign="top">
         <fieldset>
@@ -491,7 +506,7 @@
     [% END %]
   [% END %]
 
-[% PROCESS bug/knob.html.tmpl %]
+[% PROCESS bug/knob.html.tmpl IF user.id %]
 
 [%# *** Additional Comments *** %]
 
@@ -500,7 +515,7 @@
 <div id="comments">
 [% PROCESS bug/comments.html.tmpl
    comments = bug.longdescs
-   mode = "edit"
+   mode = user.id ? "edit" : "show"
  %]
 </div>
 
@@ -658,7 +673,7 @@
         <label for="qa_contact" accesskey="q"><b><u>Q</u>A Contact</b></label>:
       </td>
       <td colspan="7">
-        [% IF bug.check_can_change_field("qa_contact", 0, 1) || !user.id %]
+        [% IF bug.check_can_change_field("qa_contact", 0, 1) %]
           [% INCLUDE global/userselect.html.tmpl
               id => "qa_contact"
               name => "qa_contact"
@@ -667,7 +682,7 @@
               emptyok => 1
           %]
         [% ELSE %]
-          <input type="hidden" name="qa_contact"
+          <input type="hidden" name="qa_contact" id="qa_contact"
                  value="[% bug.qa_contact.login FILTER html %]">
           <a href="mailto:[% bug.qa_contact.email FILTER html %]">
             [% IF bug.qa_contact.login && bug.qa_contact.login.length > 30 %]
@@ -683,6 +698,7 @@
     </tr>
     [% END %]
 
+    [% IF user.id %]
       <tr>
         <td align="right" valign="top">
           <label for="newcc" accesskey="a"><b><u>A</u>dd&nbsp;CC</b></label>:
@@ -697,6 +713,7 @@
             %]
         </td>
       </tr>
+    [% END %]
 
     <tr>
       [% IF bug.cc %]
@@ -704,15 +721,18 @@
           <label for="cc"><b>CC</b></label>:
         </td>
         <td valign="top">
-          <select id="cc" name="cc" multiple="multiple" size="5">
+          <select id="cc" name="cc" multiple="multiple" size="5"
+                  [%- " disabled=\"disabled\"" IF !user.id %]>
           [% FOREACH c = bug.cc %]
             <option value="[% c FILTER html %]">[% c FILTER html %]</option>
           [% END %]
           </select>
+          [% IF user.id %]
             <br>
             <input type="checkbox" id="removecc" name="removecc">
             [%%]<label for="removecc">Remove selected CCs</label>
             <br>
+          [% END %]
         </td>
       [% ELSE %]
         <td colspan="2"><input type="hidden" name="cc" value=""></td>
@@ -736,11 +756,11 @@
   [% END %]
   </td>
   <td>
-    [% IF bug.check_can_change_field(dep.fieldname, 0, 1) || !user.id %]
+    [% IF bug.check_can_change_field(dep.fieldname, 0, 1) %]
       <input name="[% dep.fieldname %]" id="[% dep.fieldname %]"
              value="[% bug.${dep.fieldname}.join(', ') %]">
     [% ELSE %]
-      <input type="hidden" name="[% dep.fieldname %]"
+      <input type="hidden" id="[% dep.fieldname %]" name="[% dep.fieldname %]"
              value="[% bug.${dep.fieldname}.join(', ') %]">
     [% END %]
   </td>
@@ -753,7 +773,7 @@
 
 [% BLOCK select %]
   <td>
-    [% IF bug.check_can_change_field(selname, 0, 1) || !user.id %]
+    [% IF bug.check_can_change_field(selname, 0, 1) %]
       <select id="[% selname %]" name="[% selname %]">
         [% FOREACH x = bug.choices.${selname} %]
           <option value="[% x FILTER html %]"
@@ -762,7 +782,7 @@
         [% END %]
       </select>
     [% ELSE %]
-      <input type="hidden" name="[% selname %]" value="[% bug.${selname} FILTER html %]">
+      <input type="hidden" id="[% selname %]" name="[% selname %]" value="[% bug.${selname} FILTER html %]">
       [% bug.${selname} FILTER html %]
     [% END %]
   </td>
@@ -775,7 +795,7 @@
 [% BLOCK input %]
   <td[% " colspan=\"$colspan\"" IF colspan %]>
     [% val = value ? value : bug.$inputname %]
-    [% IF bug.check_can_change_field(inputname, 0, 1) || !user.id %]
+    [% IF bug.check_can_change_field(inputname, 0, 1) %]
        <input id="[% inputname %]" name="[% inputname %]"
               value="[% val FILTER html %]"[% " size=\"$size\"" IF size %]
               [% " maxlength=\"$maxlength\"" IF maxlength %]>

template/en/default/filterexceptions.pl

@@ -319,7 +319,8 @@
   'inputname',
   '" colspan=\"$colspan\"" IF colspan',
   '" size=\"$size\"" IF size',
-  '" maxlength=\"$maxlength\"" IF maxlength'
+  '" maxlength=\"$maxlength\"" IF maxlength',
+  'flag.status',
 ],
 
 'bug/knob.html.tmpl' => [