diff options
-rw-r--r-- | Bugzilla/Bug.pm | 20 |
1 files changed, 15 insertions, 5 deletions
diff --git a/Bugzilla/Bug.pm b/Bugzilla/Bug.pm index 9e4135d1c..312039306 100644 --- a/Bugzilla/Bug.pm +++ b/Bugzilla/Bug.pm @@ -1718,17 +1718,27 @@ sub _check_dependencies { @bug_ids = grep {$_} @bug_ids; # We do this up here to make sure all aliases are converted to IDs. @bug_ids = map { $invocant->check($_, $type)->id } @bug_ids; - + + my $user = Bugzilla->user; my @check_access = @bug_ids; # When we're updating a bug, only added or removed bug_ids are # checked for whether or not we can see/edit those bugs. if (ref $invocant) { my $old = $invocant->$type; my ($removed, $added) = diff_arrays($old, \@bug_ids); - @check_access = (@$added, @$removed); - + + # If a user has editbugs they are allowed to add dependencies on + # bugs that they cannot see -- only check access for bugs that are + # removed. + if ($user->in_group('editbugs')) { + @check_access = @$removed; + } + else { + @check_access = (@$added, @$removed); + } + # Check field permissions if we've changed anything. - if (@check_access) { + if (@$added || @$removed) { my $privs; if (!$invocant->check_can_change_field($type, 0, 1, \$privs)) { ThrowUserError('illegal_change', { field => $type, @@ -1737,8 +1747,8 @@ sub _check_dependencies { } } - my $user = Bugzilla->user; foreach my $modified_id (@check_access) { + # Check that the user has access to the other bug. my $delta_bug = $invocant->check($modified_id); # Under strict isolation, you can't modify a bug if you can't # edit it, even if you can see it. |