diff options
author | Dylan William Hardison <dylan@hardison.net> | 2016-11-17 15:14:44 +0100 |
---|---|---|
committer | Dylan William Hardison <dylan@hardison.net> | 2016-11-17 15:14:44 +0100 |
commit | 10bf6d405accfa7ccfb9aac816b8c54d9e5d86d5 (patch) | |
tree | f329c36ea949cf0b06fb0a280a122b4c5b9ce855 /Bugzilla/User.pm | |
parent | 648ddd30b1504c7729fc0211c22b2104920b1e7d (diff) | |
download | bugzilla-10bf6d405accfa7ccfb9aac816b8c54d9e5d86d5.tar.gz bugzilla-10bf6d405accfa7ccfb9aac816b8c54d9e5d86d5.tar.xz |
Bug 1317965 - Flag permission checks broken by bug 1257662 allowing unauthorized flag modification
Diffstat (limited to 'Bugzilla/User.pm')
-rw-r--r-- | Bugzilla/User.pm | 46 |
1 files changed, 46 insertions, 0 deletions
diff --git a/Bugzilla/User.pm b/Bugzilla/User.pm index 447c33c21..0eb9587eb 100644 --- a/Bugzilla/User.pm +++ b/Bugzilla/User.pm @@ -1583,6 +1583,52 @@ sub check_can_admin_flagtype { return wantarray ? ($flagtype, $can_fully_edit) : $flagtype; } +sub can_change_flag { + my ($self, $flag_type, $old_status, $new_status) = @_; + + # "old_status:new_status" => [OR conditions + state $flag_transitions = { + 'X:-' => ['grant_group'], + 'X:+' => ['grant_group'], + 'X:?' => ['request_group'], + + '?:X' => ['request_group', 'is_setter'], + '?:-' => ['grant_group'], + '?:+' => ['grant_group'], + + '+:X' => ['grant_group'], + '+:-' => ['grant_group'], + '+:?' => ['grant_group'], + + '-:X' => ['grant_group'], + '-:+' => ['grant_group'], + '-:?' => ['grant_group'], + }; + + return 1 if $new_status eq $old_status; + + my $action = "$old_status:$new_status"; + my %bool = ( + request_group => $self->can_request_flag($flag_type), + grant_group => $self->can_set_flag($flag_type), + is_setter => $self->id == Bugzilla->user->id, + ); + + my $cond = $flag_transitions->{$action}; + if ($cond) { + if (any { $bool{ $_ } } @$cond) { + return 1; + } + else { + return 0; + } + } + else { + warn "unknown flag transition blocked: $action"; + return 0; + } +} + sub can_request_flag { my ($self, $flag_type) = @_; |