Bug 830330: Make flags honour bug_check_can_change_field

r=dkl, a=LpSolit

3 files changed, 9 insertions, 3 deletions

diff --git a/Bugzilla/Bug.pm b/Bugzilla/Bug.pm
index 547e35fa7..5069214ba 100644
--- a/Bugzilla/Bug.pm
+++ b/Bugzilla/Bug.pm
@@ -4085,8 +4085,8 @@ sub check_can_change_field {
         return 1;
     }
 
-    # Allow anyone to change comments.
-    if ($field =~ /^longdesc/) {
+    # Allow anyone to change comments, or set flags
+    if ($field =~ /^longdesc/ || $field eq 'flagtypes.name') {
         return 1;
     }
 
diff --git a/Bugzilla/Flag.pm b/Bugzilla/Flag.pm
index 3660e2a7f..98029a1b1 100644
--- a/Bugzilla/Flag.pm
+++ b/Bugzilla/Flag.pm
@@ -294,6 +294,12 @@ sub set_flag {
         ThrowCodeError('flag_unexpected_object', { 'caller' => ref $obj });
     }
 
+    # Make sure the user can change flags
+    my $privs;
+    $bug->check_can_change_field('flagtypes.name', 0, 1, \$privs)
+        || ThrowUserError('illegal_change',
+                          { field => 'flagtypes.name', privs => $privs });
+
     # Update (or delete) an existing flag.
     if ($params->{id}) {
         my $flag = $class->check({ id => $params->{id} });
diff --git a/template/en/default/flag/list.html.tmpl b/template/en/default/flag/list.html.tmpl
index 88486c7f6..7a3f88fc5 100644
--- a/template/en/default/flag/list.html.tmpl
+++ b/template/en/default/flag/list.html.tmpl
@@ -6,7 +6,7 @@
   # defined by the Mozilla Public License, v. 2.0.
   #%]
 
-[% IF user.id AND !read_only_flags %]
+[% IF user.id && !read_only_flags && bug.check_can_change_field('flagtypes.name', 0, 1) %]
 
 [%# We list flags by looping twice over the flag types relevant for the bug.
   # In the first loop, we display existing flags and then, for active types,