Bug 1257662 - Disallow clearing a flag if the flag is set to allow granting by specifc group and changer is not in group

2 files changed, 10 insertions, 3 deletions

diff --git a/Bugzilla/Flag.pm b/Bugzilla/Flag.pm
index 07041bd79..c6c979fa7 100644
--- a/Bugzilla/Flag.pm
+++ b/Bugzilla/Flag.pm
@@ -782,13 +782,13 @@ sub _check_setter {
     # Make sure the user is authorized to modify flags, see bug 180879:
     # - The flag exists and is unchanged.
     # - The flag setter can unset flag.
-    # - Users in the request_group can clear pending requests and set flags
-    #   and can rerequest set flags.
-    # - Users in the grant_group can set/clear flags, including "+" and "-".
+    # - Users in the request_group can clear pending requests
+    # - Users in the grant_group can set/cleari/request flags, including "+" and "-".
     unless (($status eq $self->{_old_status})
             || ($status eq 'X' && $setter->id == Bugzilla->user->id)
             || (($status eq 'X' || $status eq '?')
                 && $setter->can_request_flag($self->type))
+            || $setter->can_unset_flag($self->type, $self->{_old_status})
             || $setter->can_set_flag($self->type))
     {
         ThrowUserError('flag_update_denied',
diff --git a/Bugzilla/User.pm b/Bugzilla/User.pm
index 5386e70ca..3fe59fe76 100644
--- a/Bugzilla/User.pm
+++ b/Bugzilla/User.pm
@@ -1529,6 +1529,13 @@ sub can_set_flag {
             || $self->in_group_id($flag_type->grant_group_id)) ? 1 : 0;
 }
 
+sub can_unset_flag {
+    my ($self, $flag_type, $flag_status) = @_;
+    return 1 if !$flag_type->grant_group_id;
+    return 1 if ($flag_status ne '+' && $flag_status ne '-');
+    return $self->in_group_id($flag_type->grant_group_id) ? 1 : 0;
+}
+
 # visible_groups_inherited returns a reference to a list of all the groups
 # whose members are visible to this user.
 sub visible_groups_inherited {