From fc2d539c324a34254a5cb5e9ebeb386c39220f93 Mon Sep 17 00:00:00 2001 From: David Lawrence Date: Mon, 4 Apr 2016 16:39:14 +0000 Subject: Bug 1257662 - Disallow clearing a flag if the flag is set to allow granting by specifc group and changer is not in group --- Bugzilla/Flag.pm | 6 +++--- Bugzilla/User.pm | 7 +++++++ 2 files changed, 10 insertions(+), 3 deletions(-) (limited to 'Bugzilla') diff --git a/Bugzilla/Flag.pm b/Bugzilla/Flag.pm index 07041bd79..c6c979fa7 100644 --- a/Bugzilla/Flag.pm +++ b/Bugzilla/Flag.pm @@ -782,13 +782,13 @@ sub _check_setter { # Make sure the user is authorized to modify flags, see bug 180879: # - The flag exists and is unchanged. # - The flag setter can unset flag. - # - Users in the request_group can clear pending requests and set flags - # and can rerequest set flags. - # - Users in the grant_group can set/clear flags, including "+" and "-". + # - Users in the request_group can clear pending requests + # - Users in the grant_group can set/cleari/request flags, including "+" and "-". unless (($status eq $self->{_old_status}) || ($status eq 'X' && $setter->id == Bugzilla->user->id) || (($status eq 'X' || $status eq '?') && $setter->can_request_flag($self->type)) + || $setter->can_unset_flag($self->type, $self->{_old_status}) || $setter->can_set_flag($self->type)) { ThrowUserError('flag_update_denied', diff --git a/Bugzilla/User.pm b/Bugzilla/User.pm index 5386e70ca..3fe59fe76 100644 --- a/Bugzilla/User.pm +++ b/Bugzilla/User.pm @@ -1529,6 +1529,13 @@ sub can_set_flag { || $self->in_group_id($flag_type->grant_group_id)) ? 1 : 0; } +sub can_unset_flag { + my ($self, $flag_type, $flag_status) = @_; + return 1 if !$flag_type->grant_group_id; + return 1 if ($flag_status ne '+' && $flag_status ne '-'); + return $self->in_group_id($flag_type->grant_group_id) ? 1 : 0; +} + # visible_groups_inherited returns a reference to a list of all the groups # whose members are visible to this user. sub visible_groups_inherited { -- cgit v1.2.3-24-g4f1b