From 1f9c83ae81c5c81d005fa0d9a428e23ea5126576 Mon Sep 17 00:00:00 2001
From: "bugreport%peshkin.net" <>
Date: Tue, 18 Oct 2005 04:19:00 +0000
Subject: Bug 309681 Prevent users from adding another user who shouldn't have
 access to a bug as assignee or CC member Patch by Gabriel Sales de Oliveira
 <gabriel@async.com.br> r=joel, a=justdave

---
 Bugzilla/Bug.pm                  | 11 +++++++++++
 Bugzilla/Config/GroupSecurity.pm |  6 ++++++
 Bugzilla/User.pm                 | 25 +++++++++++++++++++++++++
 3 files changed, 42 insertions(+)

(limited to 'Bugzilla')

diff --git a/Bugzilla/Bug.pm b/Bugzilla/Bug.pm
index 526f002b0..c08703789 100755
--- a/Bugzilla/Bug.pm
+++ b/Bugzilla/Bug.pm
@@ -1303,6 +1303,17 @@ sub ValidateDependencies {
     return %deps;
 }
 
+#Verify if the new assignee belongs to the group of 
+#the product that the bug(s) is in.
+sub can_add_user_to_bug {
+    my ($prod_id, $id, $uid) = @_;
+    my $user = new Bugzilla::User($uid);
+    if (!$user->can_edit_product($prod_id)) {
+        ThrowUserError("invalid_user_group", { 'user' =>
+        $user->login, bug_id => $id });
+   } 
+}
+
 sub AUTOLOAD {
   use vars qw($AUTOLOAD);
   my $attr = $AUTOLOAD;
diff --git a/Bugzilla/Config/GroupSecurity.pm b/Bugzilla/Config/GroupSecurity.pm
index e48cd4966..bd1aa3829 100644
--- a/Bugzilla/Config/GroupSecurity.pm
+++ b/Bugzilla/Config/GroupSecurity.pm
@@ -74,6 +74,12 @@ sub get_param_list {
    name => 'usevisibilitygroups',
    type => 'b',
    default => 0
+  }, 
+  
+  {
+   name => 'strict_isolation',
+   type => 'b',
+   default => 0
   } );
   return @param_list;
 }
diff --git a/Bugzilla/User.pm b/Bugzilla/User.pm
index 85584d70c..9b99428a6 100644
--- a/Bugzilla/User.pm
+++ b/Bugzilla/User.pm
@@ -382,6 +382,26 @@ sub can_see_user {
     return Bugzilla->dbh->selectrow_array($query, undef, $otherUser->id);
 }
 
+sub can_edit_product {
+    my ($self, $prod_id) = @_;
+    my $dbh = Bugzilla->dbh;
+    my $sth = $self->{sthCanEditProductId};
+    my $userid = $self->{id};
+    my $query = q{SELECT group_id FROM group_control_map 
+                   WHERE product_id =? 
+                     AND canedit != 0 };
+    if (%{$self->groups}) {
+        my $groups = join(',', values(%{$self->groups}));
+        $query .= qq{AND group_id NOT IN($groups)};
+    }
+    unless ($sth) { $sth = $dbh->prepare($query); }
+    $sth->execute($prod_id);
+    $self->{sthCanEditProductId} = $sth;
+    my $result = $sth->fetchrow_array();
+    
+    return (!defined($result));
+}
+
 sub can_see_bug {
     my ($self, $bugid) = @_;
     my $dbh = Bugzilla->dbh;
@@ -1535,6 +1555,11 @@ that you need to be aware of a group in order to bless a group.
 Returns 1 if the specified user account exists and is visible to the user,
 0 otherwise.
 
+=item C<can_edit_product(prod_id)>
+
+Determines if, given a product id, the user can edit bugs in this product
+at all.
+
 =item C<can_see_bug(bug_id)>
 
 Determines if the user can see the specified bug.
-- 
cgit v1.2.3-24-g4f1b