diff options
| author | Dylan William Hardison <dylan@hardison.net> | 2016-11-17 15:14:44 +0100 |
|---|---|---|
| committer | Dylan William Hardison <dylan@hardison.net> | 2016-11-17 15:14:44 +0100 |
| commit | 10bf6d405accfa7ccfb9aac816b8c54d9e5d86d5 (patch) | |
| tree | f329c36ea949cf0b06fb0a280a122b4c5b9ce855 /Bugzilla/Flag.pm | |
| parent | 648ddd30b1504c7729fc0211c22b2104920b1e7d (diff) | |
| download | bugzilla-10bf6d405accfa7ccfb9aac816b8c54d9e5d86d5.tar.gz bugzilla-10bf6d405accfa7ccfb9aac816b8c54d9e5d86d5.tar.xz | |
Bug 1317965 - Flag permission checks broken by bug 1257662 allowing unauthorized flag modification
Diffstat (limited to 'Bugzilla/Flag.pm')
| -rw-r--r-- | Bugzilla/Flag.pm | 22 |
1 files changed, 5 insertions, 17 deletions
diff --git a/Bugzilla/Flag.pm b/Bugzilla/Flag.pm index 3e7aa6819..6383ef364 100644 --- a/Bugzilla/Flag.pm +++ b/Bugzilla/Flag.pm @@ -768,23 +768,11 @@ sub _check_setter { # to the new flag status. my $status = $self->status; - # Make sure the user is authorized to modify flags, see bug 180879: - # - The flag exists and is unchanged. - # - The flag setter can unset flag. - # - Users in the request_group can clear pending requests - # - Users in the grant_group can set/cleari/request flags, including "+" and "-". - unless (($status eq $self->{_old_status}) - || ($status eq 'X' && $setter->id == Bugzilla->user->id) - || (($status eq 'X' || $status eq '?') - && $setter->can_request_flag($self->type)) - || $setter->can_unset_flag($self->type, $self->{_old_status}) - || $setter->can_set_flag($self->type)) - { - ThrowUserError('flag_update_denied', - { name => $self->type->name, - status => $status, - old_status => $self->{_old_status} }); - } + ThrowUserError('flag_update_denied', + { name => $self->type->name, + status => $status, + old_status => $self->{_old_status} }) + unless $setter->can_change_flag($self->type, $self->{_old_status} || 'X', $status); # If the request is being retargetted, we don't update # the setter, so that the setter gets the notification. |