From eb2423b1c5e3090d09db856e7020f4dd24232674 Mon Sep 17 00:00:00 2001
From: "jocuri%softhome.net" <>
Date: Wed, 24 Nov 2004 06:41:43 +0000
Subject: Patch for bug 180879: Implement privs for bug flags modification;
 patch by Frédéric Buclin <LpSolit@netscape.net>, r=joel, a=justdave.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 Bugzilla/Flag.pm | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

(limited to 'Bugzilla/Flag.pm')

diff --git a/Bugzilla/Flag.pm b/Bugzilla/Flag.pm
index a58bc7e3a..0fd4b047f 100644
--- a/Bugzilla/Flag.pm
+++ b/Bugzilla/Flag.pm
@@ -139,6 +139,7 @@ sub count {
 sub validate {
     # Validates fields containing flag modifications.
 
+    my $user = Bugzilla->user;
     my ($data, $bug_id) = @_;
   
     # Get a list of flags to validate.  Uses the "map" function
@@ -213,6 +214,24 @@ sub validate {
                 }
             }
         }
+
+        # Make sure the user is authorized to modify flags, see bug 180879
+        # - The flag is unchanged
+        next if ($status eq $flag->{status});
+
+        # - User can clear flags set by itself
+        next if (($status eq "X") && ($user->id eq $flag->{setter}));
+
+        # - User in the $grant_gid group can set/clear flags,
+        #   including "+" and "-"
+        next if (!$flag->{type}->{grant_gid}
+                 || $user->in_group(&::GroupIdToName($flag->{type}->{grant_gid})));
+
+        # - Any other flag modification is denied
+        ThrowUserError("flag_update_denied",
+                        { name       => $flag->{type}->{name},
+                          status     => $status,
+                          old_status => $flag->{status} });
     }
 }
 
-- 
cgit v1.2.3-24-g4f1b