From 4f4c25bb8d7bacecad8f69363d96483ea92ffc32 Mon Sep 17 00:00:00 2001 From: "travis%sedsystems.ca" <> Date: Fri, 21 Jan 2005 07:22:07 +0000 Subject: Bug 266579 : Users without privs can confirm bugs by assigning to themselves first, without having canconfirm privs Patch by LpSolit@gmail.com r=myk a=justdave --- Bugzilla/Bug.pm | 30 ++++++++++++++++-------------- 1 file changed, 16 insertions(+), 14 deletions(-) (limited to 'Bugzilla/Bug.pm') diff --git a/Bugzilla/Bug.pm b/Bugzilla/Bug.pm index bad24b589..85f7ee030 100755 --- a/Bugzilla/Bug.pm +++ b/Bugzilla/Bug.pm @@ -404,20 +404,22 @@ sub user { # Display everything as if they have all the permissions in the # world; their permissions will get checked when they log in and # actually try to make the change. - my $privileged = (!Bugzilla->user->id) - || Bugzilla->user->in_group("editbugs") - || Bugzilla->user->id == $self->{'assigned_to'}{'id'} - || (Param('useqacontact') && $self->{'qa_contact'} && - Bugzilla->user->id == $self->{'qa_contact'}{'id'}); - my $isreporter = Bugzilla->user->id && - Bugzilla->user->id == $self->{'reporter'}{'id'}; - - my $canedit = $privileged || $isreporter; - my $canconfirm = $privileged || Bugzilla->user->in_group("canconfirm"); - - $self->{'user'} = {canmove => $canmove, - canconfirm => $canconfirm, - canedit => $canedit,}; + my $unknown_privileges = !Bugzilla->user->id + || Bugzilla->user->in_group("editbugs"); + my $canedit = $unknown_privileges + || Bugzilla->user->id == $self->{'assigned_to'}{'id'} + || (Param('useqacontact') + && $self->{'qa_contact'} + && Bugzilla->user->id == $self->{'qa_contact'}{'id'}); + my $canconfirm = $unknown_privileges + || Bugzilla->user->in_group("canconfirm"); + my $isreporter = Bugzilla->user->id + && Bugzilla->user->id == $self->{'reporter'}{'id'}; + + $self->{'user'} = {canmove => $canmove, + canconfirm => $canconfirm, + canedit => $canedit, + isreporter => $isreporter}; return $self->{'user'}; } -- cgit v1.2.3-24-g4f1b