From ac0544069d03896a414e42d1b31a1d7362bb9f39 Mon Sep 17 00:00:00 2001 From: "mkanat%bugzilla.org" <> Date: Wed, 8 Jul 2009 13:54:46 +0000 Subject: Bug 495257: [SECURITY] Make check_can_change_field enforce permissions on confirming a bug and on which bug statuses a user can set Patch by Max Kanat-Alexander r=LpSolit, a=mkanat --- Bugzilla/Bug.pm | 14 ++++++++++++++ 1 file changed, 14 insertions(+) (limited to 'Bugzilla') diff --git a/Bugzilla/Bug.pm b/Bugzilla/Bug.pm index 38248fd39..8b140e92f 100644 --- a/Bugzilla/Bug.pm +++ b/Bugzilla/Bug.pm @@ -168,6 +168,7 @@ use constant UPDATE_VALIDATORS => { bug_status => \&_check_bug_status, cclist_accessible => \&Bugzilla::Object::check_boolean, dup_id => \&_check_dup_id, + everconfirmed => \&Bugzilla::Object::check_boolean, qa_contact => \&_check_qa_contact, reporter_accessible => \&Bugzilla::Object::check_boolean, resolution => \&_check_resolution, @@ -3461,6 +3462,7 @@ sub check_can_change_field { # *Only* users with (product-specific) "canconfirm" privs can confirm bugs. if ($field eq 'canconfirm' + || ($field eq 'everconfirmed' && $newvalue) || ($field eq 'bug_status' && $oldvalue eq 'UNCONFIRMED' && is_open_state($newvalue))) @@ -3516,6 +3518,18 @@ sub check_can_change_field { $$PrivilegesRequired = 2; return 0; } + # - unconfirm bugs (confirming them is handled above) + if ($field eq 'everconfirmed') { + $$PrivilegesRequired = 2; + return 0; + } + # - change the status from one open state to another + if ($field eq 'bug_status' + && is_open_state($oldvalue) && is_open_state($newvalue)) + { + $$PrivilegesRequired = 2; + return 0; + } # The reporter is allowed to change anything else. if (!$self->{'error'} && $self->{'reporter_id'} == $user->id) { -- cgit v1.2.3-24-g4f1b