diff options
| author | bugreport%peshkin.net <> | 2005-10-18 06:19:00 +0200 |
|---|---|---|
| committer | bugreport%peshkin.net <> | 2005-10-18 06:19:00 +0200 |
| commit | 1f9c83ae81c5c81d005fa0d9a428e23ea5126576 (patch) | |
| tree | 191cd91527ab952c5d2abe6d3a797bd415937494 /Bugzilla | |
| parent | 1a84cc52fea5f653e51a6ec43c778d4452351964 (diff) | |
| download | bugzilla-1f9c83ae81c5c81d005fa0d9a428e23ea5126576.tar.gz bugzilla-1f9c83ae81c5c81d005fa0d9a428e23ea5126576.tar.xz | |
Bug 309681 Prevent users from adding another user who shouldn't have access to a bug as assignee or CC member
Patch by Gabriel Sales de Oliveira <gabriel@async.com.br>
r=joel, a=justdave
Diffstat (limited to 'Bugzilla')
| -rwxr-xr-x | Bugzilla/Bug.pm | 11 | ||||
| -rw-r--r-- | Bugzilla/Config/GroupSecurity.pm | 6 | ||||
| -rw-r--r-- | Bugzilla/User.pm | 25 |
3 files changed, 42 insertions, 0 deletions
diff --git a/Bugzilla/Bug.pm b/Bugzilla/Bug.pm index 526f002b0..c08703789 100755 --- a/Bugzilla/Bug.pm +++ b/Bugzilla/Bug.pm @@ -1303,6 +1303,17 @@ sub ValidateDependencies { return %deps; } +#Verify if the new assignee belongs to the group of +#the product that the bug(s) is in. +sub can_add_user_to_bug { + my ($prod_id, $id, $uid) = @_; + my $user = new Bugzilla::User($uid); + if (!$user->can_edit_product($prod_id)) { + ThrowUserError("invalid_user_group", { 'user' => + $user->login, bug_id => $id }); + } +} + sub AUTOLOAD { use vars qw($AUTOLOAD); my $attr = $AUTOLOAD; diff --git a/Bugzilla/Config/GroupSecurity.pm b/Bugzilla/Config/GroupSecurity.pm index e48cd4966..bd1aa3829 100644 --- a/Bugzilla/Config/GroupSecurity.pm +++ b/Bugzilla/Config/GroupSecurity.pm @@ -74,6 +74,12 @@ sub get_param_list { name => 'usevisibilitygroups', type => 'b', default => 0 + }, + + { + name => 'strict_isolation', + type => 'b', + default => 0 } ); return @param_list; } diff --git a/Bugzilla/User.pm b/Bugzilla/User.pm index 85584d70c..9b99428a6 100644 --- a/Bugzilla/User.pm +++ b/Bugzilla/User.pm @@ -382,6 +382,26 @@ sub can_see_user { return Bugzilla->dbh->selectrow_array($query, undef, $otherUser->id); } +sub can_edit_product { + my ($self, $prod_id) = @_; + my $dbh = Bugzilla->dbh; + my $sth = $self->{sthCanEditProductId}; + my $userid = $self->{id}; + my $query = q{SELECT group_id FROM group_control_map + WHERE product_id =? + AND canedit != 0 }; + if (%{$self->groups}) { + my $groups = join(',', values(%{$self->groups})); + $query .= qq{AND group_id NOT IN($groups)}; + } + unless ($sth) { $sth = $dbh->prepare($query); } + $sth->execute($prod_id); + $self->{sthCanEditProductId} = $sth; + my $result = $sth->fetchrow_array(); + + return (!defined($result)); +} + sub can_see_bug { my ($self, $bugid) = @_; my $dbh = Bugzilla->dbh; @@ -1535,6 +1555,11 @@ that you need to be aware of a group in order to bless a group. Returns 1 if the specified user account exists and is visible to the user, 0 otherwise. +=item C<can_edit_product(prod_id)> + +Determines if, given a product id, the user can edit bugs in this product +at all. + =item C<can_see_bug(bug_id)> Determines if the user can see the specified bug. |