diff options
author | bugreport%peshkin.net <> | 2005-10-18 06:19:00 +0200 |
---|---|---|
committer | bugreport%peshkin.net <> | 2005-10-18 06:19:00 +0200 |
commit | 1f9c83ae81c5c81d005fa0d9a428e23ea5126576 (patch) | |
tree | 191cd91527ab952c5d2abe6d3a797bd415937494 | |
parent | 1a84cc52fea5f653e51a6ec43c778d4452351964 (diff) | |
download | bugzilla-1f9c83ae81c5c81d005fa0d9a428e23ea5126576.tar.gz bugzilla-1f9c83ae81c5c81d005fa0d9a428e23ea5126576.tar.xz |
Bug 309681 Prevent users from adding another user who shouldn't have access to a bug as assignee or CC member
Patch by Gabriel Sales de Oliveira <gabriel@async.com.br>
r=joel, a=justdave
-rwxr-xr-x | Bugzilla/Bug.pm | 11 | ||||
-rw-r--r-- | Bugzilla/Config/GroupSecurity.pm | 6 | ||||
-rw-r--r-- | Bugzilla/User.pm | 25 | ||||
-rwxr-xr-x | attachment.cgi | 2 | ||||
-rw-r--r-- | globals.pl | 21 | ||||
-rwxr-xr-x | process_bug.cgi | 45 | ||||
-rw-r--r-- | template/en/default/admin/params/groupsecurity.html.tmpl | 5 | ||||
-rw-r--r-- | template/en/default/global/user-error.html.tmpl | 5 |
8 files changed, 93 insertions, 27 deletions
diff --git a/Bugzilla/Bug.pm b/Bugzilla/Bug.pm index 526f002b0..c08703789 100755 --- a/Bugzilla/Bug.pm +++ b/Bugzilla/Bug.pm @@ -1303,6 +1303,17 @@ sub ValidateDependencies { return %deps; } +#Verify if the new assignee belongs to the group of +#the product that the bug(s) is in. +sub can_add_user_to_bug { + my ($prod_id, $id, $uid) = @_; + my $user = new Bugzilla::User($uid); + if (!$user->can_edit_product($prod_id)) { + ThrowUserError("invalid_user_group", { 'user' => + $user->login, bug_id => $id }); + } +} + sub AUTOLOAD { use vars qw($AUTOLOAD); my $attr = $AUTOLOAD; diff --git a/Bugzilla/Config/GroupSecurity.pm b/Bugzilla/Config/GroupSecurity.pm index e48cd4966..bd1aa3829 100644 --- a/Bugzilla/Config/GroupSecurity.pm +++ b/Bugzilla/Config/GroupSecurity.pm @@ -74,6 +74,12 @@ sub get_param_list { name => 'usevisibilitygroups', type => 'b', default => 0 + }, + + { + name => 'strict_isolation', + type => 'b', + default => 0 } ); return @param_list; } diff --git a/Bugzilla/User.pm b/Bugzilla/User.pm index 85584d70c..9b99428a6 100644 --- a/Bugzilla/User.pm +++ b/Bugzilla/User.pm @@ -382,6 +382,26 @@ sub can_see_user { return Bugzilla->dbh->selectrow_array($query, undef, $otherUser->id); } +sub can_edit_product { + my ($self, $prod_id) = @_; + my $dbh = Bugzilla->dbh; + my $sth = $self->{sthCanEditProductId}; + my $userid = $self->{id}; + my $query = q{SELECT group_id FROM group_control_map + WHERE product_id =? + AND canedit != 0 }; + if (%{$self->groups}) { + my $groups = join(',', values(%{$self->groups})); + $query .= qq{AND group_id NOT IN($groups)}; + } + unless ($sth) { $sth = $dbh->prepare($query); } + $sth->execute($prod_id); + $self->{sthCanEditProductId} = $sth; + my $result = $sth->fetchrow_array(); + + return (!defined($result)); +} + sub can_see_bug { my ($self, $bugid) = @_; my $dbh = Bugzilla->dbh; @@ -1535,6 +1555,11 @@ that you need to be aware of a group in order to bless a group. Returns 1 if the specified user account exists and is visible to the user, 0 otherwise. +=item C<can_edit_product(prod_id)> + +Determines if, given a product id, the user can edit bugs in this product +at all. + =item C<can_see_bug(bug_id)> Determines if the user can see the specified bug. diff --git a/attachment.cgi b/attachment.cgi index 67272ae50..eafb31ea5 100755 --- a/attachment.cgi +++ b/attachment.cgi @@ -218,7 +218,7 @@ sub validateCanChangeAttachment ON bugs.bug_id = attachments.bug_id WHERE attach_id = $attachid"); my $productid = FetchOneColumn(); - CanEditProductId($productid) + Bugzilla->user->can_edit_product_id($productid) || ThrowUserError("illegal_attachment_edit", { attach_id => $attachid }); } diff --git a/globals.pl b/globals.pl index 07d12a984..ebbce4c16 100644 --- a/globals.pl +++ b/globals.pl @@ -372,27 +372,6 @@ sub AnyDefaultGroups { return $::CachedAnyDefaultGroups; } -# -# This function checks if, given a product id, the user can edit -# bugs in this product at all. -sub CanEditProductId { - my ($productid) = @_; - my $dbh = Bugzilla->dbh; - my $query = "SELECT group_id FROM group_control_map " . - "WHERE product_id = $productid " . - "AND canedit != 0 "; - if (%{Bugzilla->user->groups}) { - $query .= "AND group_id NOT IN(" . - join(',', values(%{Bugzilla->user->groups})) . ") "; - } - $query .= $dbh->sql_limit(1); - PushGlobalSQLState(); - SendSQL($query); - my ($result) = FetchSQLData(); - PopGlobalSQLState(); - return (!defined($result)); -} - sub IsInClassification { my ($classification,$productname) = @_; diff --git a/process_bug.cgi b/process_bug.cgi index 9362af4a8..0cc4a224f 100755 --- a/process_bug.cgi +++ b/process_bug.cgi @@ -984,6 +984,11 @@ if (defined $cgi->param('qa_contact') # The QA contact cannot be deleted from show_bug.cgi for a single bug! if ($name ne $cgi->param('dontchange')) { $qacontact = DBNameToIdAndCheck($name) if ($name ne ""); + if (Param("strict_isolation")) { + my $product_id = get_product_id($cgi->param('product')); + Bugzilla::Bug::can_add_user_to_bug( + $product_id, $cgi->param('id'), $qacontact); + } DoComma(); if($qacontact) { $::query .= "qa_contact = $qacontact"; @@ -1046,7 +1051,14 @@ SWITCH: for ($cgi->param('knob')) { } ChangeStatus('NEW'); DoComma(); - if (!defined $cgi->param('assigned_to') + if (defined $cgi->param('assigned_to')) { + my $uid = DBNameToIdAndCheck($cgi->param('assigned_to')); + if (Param("strict_isolation")) { + my $product_id = get_product_id($cgi->param('product')); + Bugzilla::Bug::can_add_user_to_bug( + $product_id, $cgi->param('id'), $uid); + } + } elsif (!defined $cgi->param('assigned_to') || trim($cgi->param('assigned_to')) eq "") { ThrowUserError("reassign_to_empty"); } @@ -1276,6 +1288,7 @@ sub LogDependencyActivity { # show_bug.cgi). # foreach my $id (@idlist) { + my $bug_obj = new Bugzilla::Bug($id, $whoid); my %dependencychanged; $bug_changed = 0; my $write = "WRITE"; # Might want to make a param to control @@ -1350,7 +1363,16 @@ foreach my $id (@idlist) { ThrowUserError("illegal_change", $vars); } } - + if ($cgi->param('assigned_to') && Param("strict_isolation")) { + my $uid = DBNameToIdAndCheck($cgi->param('assigned_to')); + Bugzilla::Bug::can_add_user_to_bug( + $bug_obj->{'product_id'}, $id, $uid); + } + if ($cgi->param('qa_contact') && Param("strict_isolation")) { + Bugzilla::Bug::can_add_user_to_bug( + $bug_obj->{'product_id'}, $id, $qacontact); + } + # When editing multiple bugs, users can specify a list of keywords to delete # from bugs. If the list matches the current set of keywords on those bugs, # CheckCanChangeField above will fail to check permissions because it thinks @@ -1370,7 +1392,7 @@ foreach my $id (@idlist) { } $oldhash{'product'} = get_product_name($oldhash{'product_id'}); - if (!CanEditProductId($oldhash{'product_id'})) { + if (!Bugzilla->user->can_edit_product($oldhash{'product_id'})) { ThrowUserError("product_edit_denied", { product => $oldhash{'product'} }); } @@ -1565,7 +1587,22 @@ foreach my $id (@idlist) { $oncc{FetchOneColumn()} = 1; } - my (@added, @removed) = (); + my (@added, @removed, @blocked_cc) = (); + + if (Param("strict_isolation")) { + foreach my $pid (keys %cc_add) { + my $user = Bugzilla::User->new($pid); + if (!$user->can_edit_product($bug_obj->{'product_id'})) { + push (@blocked_cc, $cc_add{$pid}); + } + } + if (scalar(@blocked_cc)) { + my $blocked_cc = join(", ", @blocked_cc); + ThrowUserError("invalid_user_group", + {'user' => $blocked_cc , bug_id => $id }); + } + } + foreach my $pid (keys %cc_add) { # If this person isn't already on the cc list, add them if (! $oncc{$pid}) { diff --git a/template/en/default/admin/params/groupsecurity.html.tmpl b/template/en/default/admin/params/groupsecurity.html.tmpl index fe986f387..d4e219a88 100644 --- a/template/en/default/admin/params/groupsecurity.html.tmpl +++ b/template/en/default/admin/params/groupsecurity.html.tmpl @@ -47,5 +47,8 @@ "information.", usevisibilitygroups => "Do you wish to restrict visibility of users to members of " _ - "specific groups?" } + "specific groups?", + + strict_isolation => "Don't allow users to assign, be qa-contacts or add to CC list " _ + "any user that do not have permission to edit the bug." } %] diff --git a/template/en/default/global/user-error.html.tmpl b/template/en/default/global/user-error.html.tmpl index 56fedbed3..4de46f958 100644 --- a/template/en/default/global/user-error.html.tmpl +++ b/template/en/default/global/user-error.html.tmpl @@ -665,6 +665,11 @@ [% title = "Invalid regular expression" %] The regular expression you entered is invalid. + [% ELSIF error == "invalid_user_group" %] + [% title = "Invalid User Group" %] + User '[% user FILTER html %]' is not able to edit the + [% terms.bug %] '[% bug_id FILTER html %]'. + [% ELSIF error == "invalid_username" %] [% title = "Invalid Username" %] The name <tt>[% name FILTER html %]</tt> is not a valid username. |