From 1609f8fcf3d9b2b68cc0892e3948402020e4ea09 Mon Sep 17 00:00:00 2001 From: "lpsolit%gmail.com" <> Date: Thu, 21 Jun 2007 19:06:05 +0000 Subject: Bug 385209: Any (powerless) user who can see a restricted bug can remove the bug from non-mandatory groups, which should only be possible when moving the bug to another product - Patch by Frédéric Buclin r=mkanat a=LpSolit MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- process_bug.cgi | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) (limited to 'process_bug.cgi') diff --git a/process_bug.cgi b/process_bug.cgi index 98b799670..f0cd560cd 100755 --- a/process_bug.cgi +++ b/process_bug.cgi @@ -227,6 +227,7 @@ if ($cgi->cookie("BUGLIST") && defined $cgi->param('id')) { defined($cgi->param('product')) || ThrowCodeError('undefined_field', { field => 'product' }); +my $product_change = 0; if ((defined $cgi->param('id') && $cgi->param('product') ne $bug->product) || (!$cgi->param('id') && $cgi->param('product') ne $cgi->param('dontchange'))) @@ -371,6 +372,7 @@ if ((defined $cgi->param('id') && $cgi->param('product') ne $bug->product) || ThrowTemplateError($template->error()); exit; } + $product_change = 1; } # At this point, the component must be defined, even if set to "dontchange". @@ -1387,7 +1389,12 @@ foreach my $id (@idlist) { } # When editing several bugs at once, only consider groups which # have been displayed. - elsif (defined $cgi->param('id') || defined $cgi->param("bit-$gid")) { + # Only members of a group can add/remove the bug to/from it, + # unless the bug is being moved to another product in which case + # non-members can also edit group restrictions. + elsif (($user->in_group_id($gid) || $product_change) + && (defined $cgi->param('id') || defined $cgi->param("bit-$gid"))) + { if (!$cgi->param("bit-$gid")) { delete $updated_groups{$gid}; } -- cgit v1.2.3-24-g4f1b