diff options
| author | myk%mozilla.org <> | 2001-08-21 05:36:10 +0200 |
|---|---|---|
| committer | myk%mozilla.org <> | 2001-08-21 05:36:10 +0200 |
| commit | 126c2d754cfd61217b1d097e9adac9092ac27a29 (patch) | |
| tree | 312fcf7bb7f3d89cc1f644e2bf97dc929c73516d /CGI.pl | |
| parent | 5391f72b57b6bcecdc6349981eaf879917646c16 (diff) | |
| download | bugzilla-126c2d754cfd61217b1d097e9adac9092ac27a29.tar.gz bugzilla-126c2d754cfd61217b1d097e9adac9092ac27a29.tar.xz | |
Fix for bug 96085: don't allow unauthorized users to access restricted bugs that do not have a QA contact.
Patch by Myk Melez <myk@mozilla.org>
r=Jake <jake@acutex.net>
Diffstat (limited to 'CGI.pl')
| -rw-r--r-- | CGI.pl | 17 |
1 files changed, 10 insertions, 7 deletions
@@ -294,13 +294,16 @@ sub ValidateBugID { my ($isauthorized, $reporter, $assignee, $qacontact, $reporter_accessible, $assignee_accessible, $qacontact_accessible, $cclist_accessible) = FetchSQLData(); - # Finish validation and return if the user is authorized either by being - # a member of all necessary groups or by being the reporter, assignee, or QA contact. - return - if $isauthorized - || ($reporter_accessible && $reporter == $userid) - || ($assignee_accessible && $assignee == $userid) - || ($qacontact_accessible && $qacontact == $userid); + # Finish validation and return if the user is a member of all groups to which the bug belongs. + return if $isauthorized; + + # Finish validation and return if the user is in a role that has access to the bug. + if ($userid) { + return + if ($reporter_accessible && $reporter == $userid) + || ($assignee_accessible && $assignee == $userid) + || ($qacontact_accessible && $qacontact == $userid); + } # Try to authorize the user one more time by seeing if they are on # the cc: list. If so, finish validation and return. |