From dd45919d7b2f2f7ccc5ae33ef9a58b4ed6a7fd2b Mon Sep 17 00:00:00 2001
From: "lpsolit%gmail.com" <>
Date: Thu, 16 Oct 2008 16:53:05 +0000
Subject: Bug 457642: Users with editbugs privs cannot edit a duplicate anymore
 if it points to a bug you cannot see - Patch by Frédéric Buclin
 <LpSolit@gmail.com> r/a=mkanat
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 Bugzilla/Bug.pm | 34 +++++++++++++++++++++++-----------
 1 file changed, 23 insertions(+), 11 deletions(-)

(limited to 'Bugzilla')

diff --git a/Bugzilla/Bug.pm b/Bugzilla/Bug.pm
index 3bf5a1906..95e6f6d31 100644
--- a/Bugzilla/Bug.pm
+++ b/Bugzilla/Bug.pm
@@ -308,22 +308,25 @@ sub check {
         }
     }
 
-    # XXX This hack needs to go away.
-    return $self if (defined $field 
-                     && ($field eq "dependson" || $field eq "blocked"));
+    unless ($field && $field =~ /^(dependson|blocked|dup_id)$/) {
+        $self->check_is_visible;
+    }
+    return $self;
+}
 
+sub check_is_visible {
+    my $self = shift;
     my $user = Bugzilla->user;
-    if (!$user->can_see_bug($id)) {
+
+    if (!$user->can_see_bug($self->id)) {
         # The error the user sees depends on whether or not they are
         # logged in (i.e. $user->id contains the user's positive integer ID).
         if ($user->id) {
-            ThrowUserError("bug_access_denied", { bug_id => $id });
+            ThrowUserError("bug_access_denied", { bug_id => $self->id });
         } else {
-            ThrowUserError("bug_access_query", { bug_id => $id });
+            ThrowUserError("bug_access_query", { bug_id => $self->id });
         }
     }
-
-    return $self;
 }
 
 # Docs for create() (there's no POD in this file yet, but we very
@@ -1204,10 +1207,19 @@ sub _check_dup_id {
     
     $dupe_of = trim($dupe_of);
     $dupe_of || ThrowCodeError('undefined_field', { field => 'dup_id' });
-    # Make sure we can change the original bug (issue A on bug 96085)
+    # Validate the bug ID. The second argument will force check() to only
+    # make sure that the bug exists, and convert the alias to the bug ID
+    # if a string is passed. Group restrictions are checked below.
     my $dupe_of_bug = $self->check($dupe_of, 'dup_id');
     $dupe_of = $dupe_of_bug->id;
-    
+
+    # If the dupe is unchanged, we have nothing more to check.
+    return $dupe_of if ($self->dup_id && $self->dup_id == $dupe_of);
+
+    # If we come here, then the duplicate is new. We have to make sure
+    # that we can view/change it (issue A on bug 96085).
+    $dupe_of_bug->check_is_visible;
+
     # Make sure a loop isn't created when marking this bug
     # as duplicate.
     my %dupes;
@@ -1799,7 +1811,7 @@ sub set_dup_id {
     my ($self, $dup_id) = @_;
     my $old = $self->dup_id || 0;
     $self->set('dup_id', $dup_id);
-    my $new = $self->dup_id || 0;
+    my $new = $self->dup_id;
     return if $old == $new;
     
     # Update the other bug.
-- 
cgit v1.2.3-24-g4f1b