summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorlpsolit%gmail.com <>2008-10-16 18:53:05 +0200
committerlpsolit%gmail.com <>2008-10-16 18:53:05 +0200
commitdd45919d7b2f2f7ccc5ae33ef9a58b4ed6a7fd2b (patch)
tree619370e94d43e155a591c98e01bbb1f720acd728
parente5f4c8ddf62850fd27ba24dbd71cb5f128b184b0 (diff)
downloadbugzilla-dd45919d7b2f2f7ccc5ae33ef9a58b4ed6a7fd2b.tar.gz
bugzilla-dd45919d7b2f2f7ccc5ae33ef9a58b4ed6a7fd2b.tar.xz
Bug 457642: Users with editbugs privs cannot edit a duplicate anymore if it points to a bug you cannot see - Patch by Frédéric Buclin <LpSolit@gmail.com> r/a=mkanat
-rw-r--r--Bugzilla/Bug.pm34
1 files changed, 23 insertions, 11 deletions
diff --git a/Bugzilla/Bug.pm b/Bugzilla/Bug.pm
index 3bf5a1906..95e6f6d31 100644
--- a/Bugzilla/Bug.pm
+++ b/Bugzilla/Bug.pm
@@ -308,22 +308,25 @@ sub check {
}
}
- # XXX This hack needs to go away.
- return $self if (defined $field
- && ($field eq "dependson" || $field eq "blocked"));
+ unless ($field && $field =~ /^(dependson|blocked|dup_id)$/) {
+ $self->check_is_visible;
+ }
+ return $self;
+}
+sub check_is_visible {
+ my $self = shift;
my $user = Bugzilla->user;
- if (!$user->can_see_bug($id)) {
+
+ if (!$user->can_see_bug($self->id)) {
# The error the user sees depends on whether or not they are
# logged in (i.e. $user->id contains the user's positive integer ID).
if ($user->id) {
- ThrowUserError("bug_access_denied", { bug_id => $id });
+ ThrowUserError("bug_access_denied", { bug_id => $self->id });
} else {
- ThrowUserError("bug_access_query", { bug_id => $id });
+ ThrowUserError("bug_access_query", { bug_id => $self->id });
}
}
-
- return $self;
}
# Docs for create() (there's no POD in this file yet, but we very
@@ -1204,10 +1207,19 @@ sub _check_dup_id {
$dupe_of = trim($dupe_of);
$dupe_of || ThrowCodeError('undefined_field', { field => 'dup_id' });
- # Make sure we can change the original bug (issue A on bug 96085)
+ # Validate the bug ID. The second argument will force check() to only
+ # make sure that the bug exists, and convert the alias to the bug ID
+ # if a string is passed. Group restrictions are checked below.
my $dupe_of_bug = $self->check($dupe_of, 'dup_id');
$dupe_of = $dupe_of_bug->id;
-
+
+ # If the dupe is unchanged, we have nothing more to check.
+ return $dupe_of if ($self->dup_id && $self->dup_id == $dupe_of);
+
+ # If we come here, then the duplicate is new. We have to make sure
+ # that we can view/change it (issue A on bug 96085).
+ $dupe_of_bug->check_is_visible;
+
# Make sure a loop isn't created when marking this bug
# as duplicate.
my %dupes;
@@ -1799,7 +1811,7 @@ sub set_dup_id {
my ($self, $dup_id) = @_;
my $old = $self->dup_id || 0;
$self->set('dup_id', $dup_id);
- my $new = $self->dup_id || 0;
+ my $new = $self->dup_id;
return if $old == $new;
# Update the other bug.