From 6d7c379c3f735109dd7012fa1375a06f9fbad343 Mon Sep 17 00:00:00 2001
From: Dave Lawrence <dlawrence@mozilla.com>
Date: Sun, 29 Sep 2013 23:50:14 -0400
Subject: Bug 864625 - Setting a non-privileged user as a requestee on a secure
 bug while ccing the same user to give access at the same r=LpSolit,a=sgreen

---
 Bugzilla/Flag.pm | 20 ++++++++++++++------
 1 file changed, 14 insertions(+), 6 deletions(-)

(limited to 'Bugzilla/Flag.pm')

diff --git a/Bugzilla/Flag.pm b/Bugzilla/Flag.pm
index e1e75f832..8931649e4 100644
--- a/Bugzilla/Flag.pm
+++ b/Bugzilla/Flag.pm
@@ -397,7 +397,7 @@ sub _validate {
     my $old_requestee_id = $obj_flag->requestee_id;
 
     $obj_flag->_set_status($params->{status});
-    $obj_flag->_set_requestee($params->{requestee}, $attachment, $params->{skip_roe});
+    $obj_flag->_set_requestee($params->{requestee}, $bug, $attachment, $params->{skip_roe});
 
     # The requestee ID can be undefined.
     my $requestee_changed = ($obj_flag->requestee_id || 0) != ($old_requestee_id || 0);
@@ -623,10 +623,10 @@ sub force_retarget {
 ###############################
 
 sub _set_requestee {
-    my ($self, $requestee, $attachment, $skip_requestee_on_error) = @_;
+    my ($self, $requestee, $bug, $attachment, $skip_requestee_on_error) = @_;
 
     $self->{requestee} =
-      $self->_check_requestee($requestee, $attachment, $skip_requestee_on_error);
+      $self->_check_requestee($requestee, $bug, $attachment, $skip_requestee_on_error);
 
     $self->{requestee_id} =
       $self->{requestee} ? $self->{requestee}->id : undef;
@@ -648,7 +648,7 @@ sub _set_status {
 }
 
 sub _check_requestee {
-    my ($self, $requestee, $attachment, $skip_requestee_on_error) = @_;
+    my ($self, $requestee, $bug, $attachment, $skip_requestee_on_error) = @_;
 
     # If the flag status is not "?", then no requestee can be defined.
     return undef if ($self->status ne '?');
@@ -680,8 +680,16 @@ sub _check_requestee {
         # Note that can_see_bug() will query the DB, so if the bug
         # is being added/removed from some groups and these changes
         # haven't been committed to the DB yet, they won't be taken
-        # into account here. In this case, old restrictions matters.
-        if (!$requestee->can_see_bug($self->bug_id)) {
+        # into account here. In this case, old group restrictions matter.
+        # However, if the user has just been changed to the assignee,
+        # qa_contact, or added to the cc list of the bug and the bug
+        # is cclist_accessible, the requestee is allowed.
+        if (!$requestee->can_see_bug($self->bug_id)
+            && (!$bug->cclist_accessible
+                || !grep($_->id == $requestee->id, @{ $bug->cc_users })
+            && $requestee->id != $bug->assigned_to->id
+            && (!$bug->qa_contact || $requestee->id != $bug->qa_contact->id)))
+        {
             if ($skip_requestee_on_error) {
                 undef $requestee;
             }
-- 
cgit v1.2.3-24-g4f1b