aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorbugreport%peshkin.net <>2005-10-18 04:19:00 +0000
committerbugreport%peshkin.net <>2005-10-18 04:19:00 +0000
commit1f9c83ae81c5c81d005fa0d9a428e23ea5126576 (patch)
tree191cd91527ab952c5d2abe6d3a797bd415937494 /process_bug.cgi
parentBug 302835: The "confirm delete" page when deleting a user account should dis... (diff)
downloadbugzilla-1f9c83ae81c5c81d005fa0d9a428e23ea5126576.tar.gz
bugzilla-1f9c83ae81c5c81d005fa0d9a428e23ea5126576.tar.bz2
bugzilla-1f9c83ae81c5c81d005fa0d9a428e23ea5126576.zip
Bug 309681 Prevent users from adding another user who shouldn't have access to a bug as assignee or CC member
Patch by Gabriel Sales de Oliveira <gabriel@async.com.br> r=joel, a=justdave
Diffstat (limited to 'process_bug.cgi')
-rwxr-xr-xprocess_bug.cgi45
1 files changed, 41 insertions, 4 deletions
diff --git a/process_bug.cgi b/process_bug.cgi
index 9362af4a8..0cc4a224f 100755
--- a/process_bug.cgi
+++ b/process_bug.cgi
@@ -984,6 +984,11 @@ if (defined $cgi->param('qa_contact')
# The QA contact cannot be deleted from show_bug.cgi for a single bug!
if ($name ne $cgi->param('dontchange')) {
$qacontact = DBNameToIdAndCheck($name) if ($name ne "");
+ if (Param("strict_isolation")) {
+ my $product_id = get_product_id($cgi->param('product'));
+ Bugzilla::Bug::can_add_user_to_bug(
+ $product_id, $cgi->param('id'), $qacontact);
+ }
DoComma();
if($qacontact) {
$::query .= "qa_contact = $qacontact";
@@ -1046,7 +1051,14 @@ SWITCH: for ($cgi->param('knob')) {
}
ChangeStatus('NEW');
DoComma();
- if (!defined $cgi->param('assigned_to')
+ if (defined $cgi->param('assigned_to')) {
+ my $uid = DBNameToIdAndCheck($cgi->param('assigned_to'));
+ if (Param("strict_isolation")) {
+ my $product_id = get_product_id($cgi->param('product'));
+ Bugzilla::Bug::can_add_user_to_bug(
+ $product_id, $cgi->param('id'), $uid);
+ }
+ } elsif (!defined $cgi->param('assigned_to')
|| trim($cgi->param('assigned_to')) eq "") {
ThrowUserError("reassign_to_empty");
}
@@ -1276,6 +1288,7 @@ sub LogDependencyActivity {
# show_bug.cgi).
#
foreach my $id (@idlist) {
+ my $bug_obj = new Bugzilla::Bug($id, $whoid);
my %dependencychanged;
$bug_changed = 0;
my $write = "WRITE"; # Might want to make a param to control
@@ -1350,7 +1363,16 @@ foreach my $id (@idlist) {
ThrowUserError("illegal_change", $vars);
}
}
-
+ if ($cgi->param('assigned_to') && Param("strict_isolation")) {
+ my $uid = DBNameToIdAndCheck($cgi->param('assigned_to'));
+ Bugzilla::Bug::can_add_user_to_bug(
+ $bug_obj->{'product_id'}, $id, $uid);
+ }
+ if ($cgi->param('qa_contact') && Param("strict_isolation")) {
+ Bugzilla::Bug::can_add_user_to_bug(
+ $bug_obj->{'product_id'}, $id, $qacontact);
+ }
+
# When editing multiple bugs, users can specify a list of keywords to delete
# from bugs. If the list matches the current set of keywords on those bugs,
# CheckCanChangeField above will fail to check permissions because it thinks
@@ -1370,7 +1392,7 @@ foreach my $id (@idlist) {
}
$oldhash{'product'} = get_product_name($oldhash{'product_id'});
- if (!CanEditProductId($oldhash{'product_id'})) {
+ if (!Bugzilla->user->can_edit_product($oldhash{'product_id'})) {
ThrowUserError("product_edit_denied",
{ product => $oldhash{'product'} });
}
@@ -1565,7 +1587,22 @@ foreach my $id (@idlist) {
$oncc{FetchOneColumn()} = 1;
}
- my (@added, @removed) = ();
+ my (@added, @removed, @blocked_cc) = ();
+
+ if (Param("strict_isolation")) {
+ foreach my $pid (keys %cc_add) {
+ my $user = Bugzilla::User->new($pid);
+ if (!$user->can_edit_product($bug_obj->{'product_id'})) {
+ push (@blocked_cc, $cc_add{$pid});
+ }
+ }
+ if (scalar(@blocked_cc)) {
+ my $blocked_cc = join(", ", @blocked_cc);
+ ThrowUserError("invalid_user_group",
+ {'user' => $blocked_cc , bug_id => $id });
+ }
+ }
+
foreach my $pid (keys %cc_add) {
# If this person isn't already on the cc list, add them
if (! $oncc{$pid}) {