diff options
| author | travis%sedsystems.ca <> | 2005-01-21 08:22:07 +0100 |
|---|---|---|
| committer | travis%sedsystems.ca <> | 2005-01-21 08:22:07 +0100 |
| commit | 4f4c25bb8d7bacecad8f69363d96483ea92ffc32 (patch) | |
| tree | 5cd1417f8950deb82704370283e1eb0bc5c5229b /Bugzilla | |
| parent | 61a49f228204e2991aea7970c44efdd433f8c71b (diff) | |
| download | bugzilla-4f4c25bb8d7bacecad8f69363d96483ea92ffc32.tar.gz bugzilla-4f4c25bb8d7bacecad8f69363d96483ea92ffc32.tar.xz | |
Bug 266579 : Users without privs can confirm bugs by assigning to themselves first, without having canconfirm privs
Patch by LpSolit@gmail.com r=myk a=justdave
Diffstat (limited to 'Bugzilla')
| -rwxr-xr-x | Bugzilla/Bug.pm | 30 |
1 files changed, 16 insertions, 14 deletions
diff --git a/Bugzilla/Bug.pm b/Bugzilla/Bug.pm index bad24b589..85f7ee030 100755 --- a/Bugzilla/Bug.pm +++ b/Bugzilla/Bug.pm @@ -404,20 +404,22 @@ sub user { # Display everything as if they have all the permissions in the # world; their permissions will get checked when they log in and # actually try to make the change. - my $privileged = (!Bugzilla->user->id) - || Bugzilla->user->in_group("editbugs") - || Bugzilla->user->id == $self->{'assigned_to'}{'id'} - || (Param('useqacontact') && $self->{'qa_contact'} && - Bugzilla->user->id == $self->{'qa_contact'}{'id'}); - my $isreporter = Bugzilla->user->id && - Bugzilla->user->id == $self->{'reporter'}{'id'}; - - my $canedit = $privileged || $isreporter; - my $canconfirm = $privileged || Bugzilla->user->in_group("canconfirm"); - - $self->{'user'} = {canmove => $canmove, - canconfirm => $canconfirm, - canedit => $canedit,}; + my $unknown_privileges = !Bugzilla->user->id + || Bugzilla->user->in_group("editbugs"); + my $canedit = $unknown_privileges + || Bugzilla->user->id == $self->{'assigned_to'}{'id'} + || (Param('useqacontact') + && $self->{'qa_contact'} + && Bugzilla->user->id == $self->{'qa_contact'}{'id'}); + my $canconfirm = $unknown_privileges + || Bugzilla->user->in_group("canconfirm"); + my $isreporter = Bugzilla->user->id + && Bugzilla->user->id == $self->{'reporter'}{'id'}; + + $self->{'user'} = {canmove => $canmove, + canconfirm => $canconfirm, + canedit => $canedit, + isreporter => $isreporter}; return $self->{'user'}; } |