diff options
author | lpsolit%gmail.com <> | 2006-07-02 05:01:51 +0200 |
---|---|---|
committer | lpsolit%gmail.com <> | 2006-07-02 05:01:51 +0200 |
commit | 1e087ef9416da23989f9134866586ea02df156da (patch) | |
tree | ace4823ea7692afdeabd6fa43a88afed53ed4b03 /Bugzilla | |
parent | f301c9241af577f8f3df94338f1329d91c82d252 (diff) | |
download | bugzilla-1e087ef9416da23989f9134866586ea02df156da.tar.gz bugzilla-1e087ef9416da23989f9134866586ea02df156da.tar.xz |
Bug 340278: Move CheckCanChangeField() from process_bug.cgi to Bug.pm - Patch by Frédéric Buclin <LpSolit@gmail.com> r=mkanat a=justdave
Diffstat (limited to 'Bugzilla')
-rwxr-xr-x | Bugzilla/Bug.pm | 134 |
1 files changed, 133 insertions, 1 deletions
diff --git a/Bugzilla/Bug.pm b/Bugzilla/Bug.pm index 8b6302b92..91a92cbe2 100755 --- a/Bugzilla/Bug.pm +++ b/Bugzilla/Bug.pm @@ -100,7 +100,7 @@ sub initBug { my ($bug_id, $user_id) = (@_); my $dbh = Bugzilla->dbh; - $bug_id = trim($bug_id); + $bug_id = trim($bug_id || 0); my $old_bug_id = $bug_id; @@ -1166,6 +1166,138 @@ sub CheckIfVotedConfirmed { return $ret; } +################################################################################ +# check_can_change_field() defines what users are allowed to change. You +# can add code here for site-specific policy changes, according to the +# instructions given in the Bugzilla Guide and below. Note that you may also +# have to update the Bugzilla::Bug::user() function to give people access to the +# options that they are permitted to change. +# +# check_can_change_field() returns true if the user is allowed to change this +# field, and false if they are not. +# +# The parameters to this method are as follows: +# $field - name of the field in the bugs table the user is trying to change +# $oldvalue - what they are changing it from +# $newvalue - what they are changing it to +# $PrivilegesRequired - return the reason of the failure, if any +# $data - hash containing relevant parameters, e.g. from the CGI object +################################################################################ +sub check_can_change_field { + my $self = shift; + my ($field, $oldvalue, $newvalue, $PrivilegesRequired, $data) = (@_); + my $user = $self->{'who'}; + + $oldvalue = defined($oldvalue) ? $oldvalue : ''; + $newvalue = defined($newvalue) ? $newvalue : ''; + + # Return true if they haven't changed this field at all. + if ($oldvalue eq $newvalue) { + return 1; + } elsif (trim($oldvalue) eq trim($newvalue)) { + return 1; + # numeric fields need to be compared using == + } elsif (($field eq 'estimated_time' || $field eq 'remaining_time') + && $newvalue ne $data->{'dontchange'} + && $oldvalue == $newvalue) + { + return 1; + } + + # Allow anyone to change comments. + if ($field =~ /^longdesc/) { + return 1; + } + + # Ignore the assigned_to field if the bug is not being reassigned + if ($field eq 'assigned_to' + && $data->{'knob'} ne 'reassignbycomponent' + && $data->{'knob'} ne 'reassign') + { + return 1; + } + + # If the user isn't allowed to change a field, we must tell him who can. + # We store the required permission set into the $PrivilegesRequired + # variable which gets passed to the error template. + # + # $PrivilegesRequired = 0 : no privileges required; + # $PrivilegesRequired = 1 : the reporter, assignee or an empowered user; + # $PrivilegesRequired = 2 : the assignee or an empowered user; + # $PrivilegesRequired = 3 : an empowered user. + + # Allow anyone with "editbugs" privs to change anything. + if ($user->in_group('editbugs')) { + return 1; + } + + # *Only* users with "canconfirm" privs can confirm bugs. + if ($field eq 'canconfirm' + || ($field eq 'bug_status' + && $oldvalue eq 'UNCONFIRMED' + && is_open_state($newvalue))) + { + $PrivilegesRequired = 3; + return $user->in_group('canconfirm'); + } + + # Make sure that a valid bug ID has been given. + if (!$self->{'error'}) { + # Allow the assignee to change anything else. + if ($self->{'assigned_to_id'} == $user->id) { + return 1; + } + + # Allow the QA contact to change anything else. + if (Bugzilla->params->{'useqacontact'} + && $self->{'qa_contact_id'} + && ($self->{'qa_contact_id'} == $user->id)) + { + return 1; + } + } + + # At this point, the user is either the reporter or an + # unprivileged user. We first check for fields the reporter + # is not allowed to change. + + # The reporter may not: + # - reassign bugs, unless the bugs are assigned to him; + # in that case we will have already returned 1 above + # when checking for the assignee of the bug. + if ($field eq 'assigned_to') { + $PrivilegesRequired = 2; + return 0; + } + # - change the QA contact + if ($field eq 'qa_contact') { + $PrivilegesRequired = 2; + return 0; + } + # - change the target milestone + if ($field eq 'target_milestone') { + $PrivilegesRequired = 2; + return 0; + } + # - change the priority (unless he could have set it originally) + if ($field eq 'priority' + && !Param('letsubmitterchoosepriority')) + { + $PrivilegesRequired = 2; + return 0; + } + + # The reporter is allowed to change anything else. + if (!$self->{'error'} && $self->{'reporter_id'} == $user->id) { + return 1; + } + + # If we haven't returned by this point, then the user doesn't + # have the necessary permissions to change this field. + $PrivilegesRequired = 1; + return 0; +} + # # Field Validation # |