From 126c2d754cfd61217b1d097e9adac9092ac27a29 Mon Sep 17 00:00:00 2001
From: "myk%mozilla.org" <>
Date: Tue, 21 Aug 2001 03:36:10 +0000
Subject: Fix for bug 96085: don't allow unauthorized users to access
 restricted bugs that do not have a QA contact. Patch by Myk Melez
 <myk@mozilla.org> r=Jake <jake@acutex.net>

---
 CGI.pl | 17 ++++++++++-------
 1 file changed, 10 insertions(+), 7 deletions(-)

(limited to 'CGI.pl')

diff --git a/CGI.pl b/CGI.pl
index 21a4ccb6b..ddf5fa14c 100644
--- a/CGI.pl
+++ b/CGI.pl
@@ -294,13 +294,16 @@ sub ValidateBugID {
     my ($isauthorized, $reporter, $assignee, $qacontact, $reporter_accessible, 
         $assignee_accessible, $qacontact_accessible, $cclist_accessible) = FetchSQLData();
 
-    # Finish validation and return if the user is authorized either by being
-    # a member of all necessary groups or by being the reporter, assignee, or QA contact.
-    return
-      if $isauthorized 
-        || ($reporter_accessible && $reporter == $userid)
-        || ($assignee_accessible && $assignee == $userid)
-        || ($qacontact_accessible && $qacontact == $userid);
+    # Finish validation and return if the user is a member of all groups to which the bug belongs.
+    return if $isauthorized;
+
+    # Finish validation and return if the user is in a role that has access to the bug.
+    if ($userid) {
+        return 
+	  if ($reporter_accessible && $reporter == $userid)
+            || ($assignee_accessible && $assignee == $userid)
+              || ($qacontact_accessible && $qacontact == $userid);
+    }
 
     # Try to authorize the user one more time by seeing if they are on 
     # the cc: list.  If so, finish validation and return.
-- 
cgit v1.2.3-24-g4f1b