diff options
author | jocuri%softhome.net <> | 2004-11-24 07:41:43 +0100 |
---|---|---|
committer | jocuri%softhome.net <> | 2004-11-24 07:41:43 +0100 |
commit | eb2423b1c5e3090d09db856e7020f4dd24232674 (patch) | |
tree | 9a2069d50391bec9e408fb25a48ce32de5cc5248 /Bugzilla | |
parent | 56ce33fb10beb9cd80e0a170b8d9a519b9181c2b (diff) | |
download | bugzilla-eb2423b1c5e3090d09db856e7020f4dd24232674.tar.gz bugzilla-eb2423b1c5e3090d09db856e7020f4dd24232674.tar.xz |
Patch for bug 180879: Implement privs for bug flags modification; patch by Frédéric Buclin <LpSolit@netscape.net>, r=joel, a=justdave.
Diffstat (limited to 'Bugzilla')
-rw-r--r-- | Bugzilla/Flag.pm | 19 | ||||
-rw-r--r-- | Bugzilla/FlagType.pm | 30 |
2 files changed, 47 insertions, 2 deletions
diff --git a/Bugzilla/Flag.pm b/Bugzilla/Flag.pm index a58bc7e3a..0fd4b047f 100644 --- a/Bugzilla/Flag.pm +++ b/Bugzilla/Flag.pm @@ -139,6 +139,7 @@ sub count { sub validate { # Validates fields containing flag modifications. + my $user = Bugzilla->user; my ($data, $bug_id) = @_; # Get a list of flags to validate. Uses the "map" function @@ -213,6 +214,24 @@ sub validate { } } } + + # Make sure the user is authorized to modify flags, see bug 180879 + # - The flag is unchanged + next if ($status eq $flag->{status}); + + # - User can clear flags set by itself + next if (($status eq "X") && ($user->id eq $flag->{setter})); + + # - User in the $grant_gid group can set/clear flags, + # including "+" and "-" + next if (!$flag->{type}->{grant_gid} + || $user->in_group(&::GroupIdToName($flag->{type}->{grant_gid}))); + + # - Any other flag modification is denied + ThrowUserError("flag_update_denied", + { name => $flag->{type}->{name}, + status => $status, + old_status => $flag->{status} }); } } diff --git a/Bugzilla/FlagType.pm b/Bugzilla/FlagType.pm index 687a01768..5b681dc0c 100644 --- a/Bugzilla/FlagType.pm +++ b/Bugzilla/FlagType.pm @@ -49,7 +49,8 @@ my @base_columns = ("1", "flagtypes.id", "flagtypes.name", "flagtypes.description", "flagtypes.cc_list", "flagtypes.target_type", "flagtypes.sortkey", "flagtypes.is_active", "flagtypes.is_requestable", - "flagtypes.is_requesteeble", "flagtypes.is_multiplicable"); + "flagtypes.is_requesteeble", "flagtypes.is_multiplicable", + "flagtypes.grant_group_id", "flagtypes.request_group_id"); # Note: when adding tables to @base_tables, make sure to include the separator # (i.e. a comma or words like "LEFT OUTER JOIN") before the table name, @@ -181,6 +182,7 @@ sub count { } sub validate { + my $user = Bugzilla->user; my ($data, $bug_id, $attach_id) = @_; # Get a list of flag types to validate. Uses the "map" function @@ -249,6 +251,22 @@ sub validate { attach_id => $attach_id }); } } + + # Make sure the user is authorized to modify flags, see bug 180879 + # - User in the $grant_gid group can set flags, including "+" and "-" + next if (!$flag_type->{grant_gid} + || $user->in_group(&::GroupIdToName($flag_type->{grant_gid}))); + + # - User in the $request_gid group can request flags + next if ($status eq '?' + && (!$flag_type->{request_gid} + || $user->in_group(&::GroupIdToName($flag_type->{request_gid})))); + + # - Any other flag modification is denied + ThrowUserError("flag_update_denied", + { name => $flag_type->{name}, + status => $status, + old_status => "X" }); } } @@ -348,6 +366,12 @@ sub sqlify_criteria { push(@$columns, "COUNT(flagexclusions.type_id) AS num_exclusions"); $$having = "num_exclusions = 0"; } + if ($criteria->{group}) { + my $gid = $criteria->{group}; + detaint_natural($gid); + push(@criteria, "(flagtypes.grant_group_id = $gid " . + " OR flagtypes.request_group_id = $gid)"); + } return @criteria; } @@ -368,7 +392,9 @@ sub perlify_record { $type->{'is_requestable'} = $_[8]; $type->{'is_requesteeble'} = $_[9]; $type->{'is_multiplicable'} = $_[10]; - $type->{'flag_count'} = $_[11]; + $type->{'grant_gid'} = $_[11]; + $type->{'request_gid'} = $_[12]; + $type->{'flag_count'} = $_[13]; return $type; } |