summaryrefslogtreecommitdiffstats
path: root/Bugzilla
diff options
context:
space:
mode:
authorlpsolit%gmail.com <>2006-07-02 05:01:51 +0200
committerlpsolit%gmail.com <>2006-07-02 05:01:51 +0200
commit1e087ef9416da23989f9134866586ea02df156da (patch)
treeace4823ea7692afdeabd6fa43a88afed53ed4b03 /Bugzilla
parentf301c9241af577f8f3df94338f1329d91c82d252 (diff)
downloadbugzilla-1e087ef9416da23989f9134866586ea02df156da.tar.gz
bugzilla-1e087ef9416da23989f9134866586ea02df156da.tar.xz
Bug 340278: Move CheckCanChangeField() from process_bug.cgi to Bug.pm - Patch by Frédéric Buclin <LpSolit@gmail.com> r=mkanat a=justdave
Diffstat (limited to 'Bugzilla')
-rwxr-xr-xBugzilla/Bug.pm134
1 files changed, 133 insertions, 1 deletions
diff --git a/Bugzilla/Bug.pm b/Bugzilla/Bug.pm
index 8b6302b92..91a92cbe2 100755
--- a/Bugzilla/Bug.pm
+++ b/Bugzilla/Bug.pm
@@ -100,7 +100,7 @@ sub initBug {
my ($bug_id, $user_id) = (@_);
my $dbh = Bugzilla->dbh;
- $bug_id = trim($bug_id);
+ $bug_id = trim($bug_id || 0);
my $old_bug_id = $bug_id;
@@ -1166,6 +1166,138 @@ sub CheckIfVotedConfirmed {
return $ret;
}
+################################################################################
+# check_can_change_field() defines what users are allowed to change. You
+# can add code here for site-specific policy changes, according to the
+# instructions given in the Bugzilla Guide and below. Note that you may also
+# have to update the Bugzilla::Bug::user() function to give people access to the
+# options that they are permitted to change.
+#
+# check_can_change_field() returns true if the user is allowed to change this
+# field, and false if they are not.
+#
+# The parameters to this method are as follows:
+# $field - name of the field in the bugs table the user is trying to change
+# $oldvalue - what they are changing it from
+# $newvalue - what they are changing it to
+# $PrivilegesRequired - return the reason of the failure, if any
+# $data - hash containing relevant parameters, e.g. from the CGI object
+################################################################################
+sub check_can_change_field {
+ my $self = shift;
+ my ($field, $oldvalue, $newvalue, $PrivilegesRequired, $data) = (@_);
+ my $user = $self->{'who'};
+
+ $oldvalue = defined($oldvalue) ? $oldvalue : '';
+ $newvalue = defined($newvalue) ? $newvalue : '';
+
+ # Return true if they haven't changed this field at all.
+ if ($oldvalue eq $newvalue) {
+ return 1;
+ } elsif (trim($oldvalue) eq trim($newvalue)) {
+ return 1;
+ # numeric fields need to be compared using ==
+ } elsif (($field eq 'estimated_time' || $field eq 'remaining_time')
+ && $newvalue ne $data->{'dontchange'}
+ && $oldvalue == $newvalue)
+ {
+ return 1;
+ }
+
+ # Allow anyone to change comments.
+ if ($field =~ /^longdesc/) {
+ return 1;
+ }
+
+ # Ignore the assigned_to field if the bug is not being reassigned
+ if ($field eq 'assigned_to'
+ && $data->{'knob'} ne 'reassignbycomponent'
+ && $data->{'knob'} ne 'reassign')
+ {
+ return 1;
+ }
+
+ # If the user isn't allowed to change a field, we must tell him who can.
+ # We store the required permission set into the $PrivilegesRequired
+ # variable which gets passed to the error template.
+ #
+ # $PrivilegesRequired = 0 : no privileges required;
+ # $PrivilegesRequired = 1 : the reporter, assignee or an empowered user;
+ # $PrivilegesRequired = 2 : the assignee or an empowered user;
+ # $PrivilegesRequired = 3 : an empowered user.
+
+ # Allow anyone with "editbugs" privs to change anything.
+ if ($user->in_group('editbugs')) {
+ return 1;
+ }
+
+ # *Only* users with "canconfirm" privs can confirm bugs.
+ if ($field eq 'canconfirm'
+ || ($field eq 'bug_status'
+ && $oldvalue eq 'UNCONFIRMED'
+ && is_open_state($newvalue)))
+ {
+ $PrivilegesRequired = 3;
+ return $user->in_group('canconfirm');
+ }
+
+ # Make sure that a valid bug ID has been given.
+ if (!$self->{'error'}) {
+ # Allow the assignee to change anything else.
+ if ($self->{'assigned_to_id'} == $user->id) {
+ return 1;
+ }
+
+ # Allow the QA contact to change anything else.
+ if (Bugzilla->params->{'useqacontact'}
+ && $self->{'qa_contact_id'}
+ && ($self->{'qa_contact_id'} == $user->id))
+ {
+ return 1;
+ }
+ }
+
+ # At this point, the user is either the reporter or an
+ # unprivileged user. We first check for fields the reporter
+ # is not allowed to change.
+
+ # The reporter may not:
+ # - reassign bugs, unless the bugs are assigned to him;
+ # in that case we will have already returned 1 above
+ # when checking for the assignee of the bug.
+ if ($field eq 'assigned_to') {
+ $PrivilegesRequired = 2;
+ return 0;
+ }
+ # - change the QA contact
+ if ($field eq 'qa_contact') {
+ $PrivilegesRequired = 2;
+ return 0;
+ }
+ # - change the target milestone
+ if ($field eq 'target_milestone') {
+ $PrivilegesRequired = 2;
+ return 0;
+ }
+ # - change the priority (unless he could have set it originally)
+ if ($field eq 'priority'
+ && !Param('letsubmitterchoosepriority'))
+ {
+ $PrivilegesRequired = 2;
+ return 0;
+ }
+
+ # The reporter is allowed to change anything else.
+ if (!$self->{'error'} && $self->{'reporter_id'} == $user->id) {
+ return 1;
+ }
+
+ # If we haven't returned by this point, then the user doesn't
+ # have the necessary permissions to change this field.
+ $PrivilegesRequired = 1;
+ return 0;
+}
+
#
# Field Validation
#