summaryrefslogtreecommitdiffstats
path: root/Bugzilla
diff options
context:
space:
mode:
authorjocuri%softhome.net <>2004-11-24 07:41:43 +0100
committerjocuri%softhome.net <>2004-11-24 07:41:43 +0100
commiteb2423b1c5e3090d09db856e7020f4dd24232674 (patch)
tree9a2069d50391bec9e408fb25a48ce32de5cc5248 /Bugzilla
parent56ce33fb10beb9cd80e0a170b8d9a519b9181c2b (diff)
downloadbugzilla-eb2423b1c5e3090d09db856e7020f4dd24232674.tar.gz
bugzilla-eb2423b1c5e3090d09db856e7020f4dd24232674.tar.xz
Patch for bug 180879: Implement privs for bug flags modification; patch by Frédéric Buclin <LpSolit@netscape.net>, r=joel, a=justdave.
Diffstat (limited to 'Bugzilla')
-rw-r--r--Bugzilla/Flag.pm19
-rw-r--r--Bugzilla/FlagType.pm30
2 files changed, 47 insertions, 2 deletions
diff --git a/Bugzilla/Flag.pm b/Bugzilla/Flag.pm
index a58bc7e3a..0fd4b047f 100644
--- a/Bugzilla/Flag.pm
+++ b/Bugzilla/Flag.pm
@@ -139,6 +139,7 @@ sub count {
sub validate {
# Validates fields containing flag modifications.
+ my $user = Bugzilla->user;
my ($data, $bug_id) = @_;
# Get a list of flags to validate. Uses the "map" function
@@ -213,6 +214,24 @@ sub validate {
}
}
}
+
+ # Make sure the user is authorized to modify flags, see bug 180879
+ # - The flag is unchanged
+ next if ($status eq $flag->{status});
+
+ # - User can clear flags set by itself
+ next if (($status eq "X") && ($user->id eq $flag->{setter}));
+
+ # - User in the $grant_gid group can set/clear flags,
+ # including "+" and "-"
+ next if (!$flag->{type}->{grant_gid}
+ || $user->in_group(&::GroupIdToName($flag->{type}->{grant_gid})));
+
+ # - Any other flag modification is denied
+ ThrowUserError("flag_update_denied",
+ { name => $flag->{type}->{name},
+ status => $status,
+ old_status => $flag->{status} });
}
}
diff --git a/Bugzilla/FlagType.pm b/Bugzilla/FlagType.pm
index 687a01768..5b681dc0c 100644
--- a/Bugzilla/FlagType.pm
+++ b/Bugzilla/FlagType.pm
@@ -49,7 +49,8 @@ my @base_columns =
("1", "flagtypes.id", "flagtypes.name", "flagtypes.description",
"flagtypes.cc_list", "flagtypes.target_type", "flagtypes.sortkey",
"flagtypes.is_active", "flagtypes.is_requestable",
- "flagtypes.is_requesteeble", "flagtypes.is_multiplicable");
+ "flagtypes.is_requesteeble", "flagtypes.is_multiplicable",
+ "flagtypes.grant_group_id", "flagtypes.request_group_id");
# Note: when adding tables to @base_tables, make sure to include the separator
# (i.e. a comma or words like "LEFT OUTER JOIN") before the table name,
@@ -181,6 +182,7 @@ sub count {
}
sub validate {
+ my $user = Bugzilla->user;
my ($data, $bug_id, $attach_id) = @_;
# Get a list of flag types to validate. Uses the "map" function
@@ -249,6 +251,22 @@ sub validate {
attach_id => $attach_id });
}
}
+
+ # Make sure the user is authorized to modify flags, see bug 180879
+ # - User in the $grant_gid group can set flags, including "+" and "-"
+ next if (!$flag_type->{grant_gid}
+ || $user->in_group(&::GroupIdToName($flag_type->{grant_gid})));
+
+ # - User in the $request_gid group can request flags
+ next if ($status eq '?'
+ && (!$flag_type->{request_gid}
+ || $user->in_group(&::GroupIdToName($flag_type->{request_gid}))));
+
+ # - Any other flag modification is denied
+ ThrowUserError("flag_update_denied",
+ { name => $flag_type->{name},
+ status => $status,
+ old_status => "X" });
}
}
@@ -348,6 +366,12 @@ sub sqlify_criteria {
push(@$columns, "COUNT(flagexclusions.type_id) AS num_exclusions");
$$having = "num_exclusions = 0";
}
+ if ($criteria->{group}) {
+ my $gid = $criteria->{group};
+ detaint_natural($gid);
+ push(@criteria, "(flagtypes.grant_group_id = $gid " .
+ " OR flagtypes.request_group_id = $gid)");
+ }
return @criteria;
}
@@ -368,7 +392,9 @@ sub perlify_record {
$type->{'is_requestable'} = $_[8];
$type->{'is_requesteeble'} = $_[9];
$type->{'is_multiplicable'} = $_[10];
- $type->{'flag_count'} = $_[11];
+ $type->{'grant_gid'} = $_[11];
+ $type->{'request_gid'} = $_[12];
+ $type->{'flag_count'} = $_[13];
return $type;
}