From 01503e37e5415702b30e0fe8ff58c31d69e404a0 Mon Sep 17 00:00:00 2001 From: "justdave%syndicomm.com" <> Date: Mon, 13 Aug 2001 07:46:18 +0000 Subject: Fix for bug 39816: Anyone in CC, Reporter, QA Contact, or Asigned To fields can now be given access to view a bug even if the permissions on that bug are set to a group that would normally exclude those people. Patch by Myk Melez r= justdave@syndicomm.com --- CGI.pl | 71 +++++++++++++++++++++++++++++++++++++++++++++++++++--------------- 1 file changed, 55 insertions(+), 16 deletions(-) (limited to 'CGI.pl') diff --git a/CGI.pl b/CGI.pl index 2f1a189b3..5a86b7ad1 100644 --- a/CGI.pl +++ b/CGI.pl @@ -266,33 +266,72 @@ sub ValidateBugID { # the user is a member of all groups to which the bug is restricted # and is authorized to access the bug. + # A user is also authorized to access a bug if she is the reporter, + # assignee, QA contact, or member of the cc: list of the bug and the bug + # allows users in those roles to see the bug. The boolean fields + # reporter_accessible, assignee_accessible, qacontact_accessible, and + # cclist_accessible identify whether or not those roles can see the bug. + # Bit arithmetic is performed by MySQL instead of Perl because bitset # fields in the database are 64 bits wide (BIGINT), and Perl installations # may or may not support integers larger than 32 bits. Using bitsets # and doing bitset arithmetic is probably not cross-database compatible, # however, so these mechanisms are likely to change in the future. - SendSQL("SELECT ((groupset & $usergroupset) = groupset) - FROM bugs WHERE bug_id = $id"); + + # Get data from the database about whether or not the user belongs to + # all groups the bug is in, and who are the bug's reporter and qa_contact + # along with which roles can always access the bug. + SendSQL("SELECT ((groupset & $usergroupset) = groupset) , reporter , assigned_to , qa_contact , + reporter_accessible , assignee_accessible , qacontact_accessible , cclist_accessible + FROM bugs + WHERE bug_id = $id"); # Make sure the bug exists in the database. MoreSQLData() || DisplayError("Bug #$id does not exist.") && exit; - # Make sure the user is authorized to access the bug. - my ($isauthorized) = FetchSQLData(); - $isauthorized - || ( - $userid ? - DisplayError("You are not authorized to access bug #$id.") : - DisplayError( - qq|You are not authorized to access bug #$id. - To see this bug, you must first - log in - to an account with the appropriate permissions.| - ) - ) - && exit; + my ($isauthorized, $reporter, $assignee, $qacontact, $reporter_accessible, + $assignee_accessible, $qacontact_accessible, $cclist_accessible) = FetchSQLData(); + + # Finish validation and return if the user is authorized either by being + # a member of all necessary groups or by being the reporter, assignee, or QA contact. + return + if $isauthorized + || ($reporter_accessible && $reporter == $userid) + || ($assignee_accessible && $assignee == $userid) + || ($qacontact_accessible && $qacontact == $userid); + + # Try to authorize the user one more time by seeing if they are on + # the cc: list. If so, finish validation and return. + if ( $cclist_accessible ) { + my @cclist; + SendSQL("SELECT cc.who + FROM bugs , cc + WHERE bugs.bug_id = $id + AND cc.bug_id = bugs.bug_id + "); + while (my ($ccwho) = FetchSQLData()) { + push @cclist , $ccwho; + } + return if grep($userid == $_ , @cclist); + } + + # The user did not pass any of the authorization tests, which means they + # are not authorized to see the bug. Display an error and stop execution. + # The error the user sees depends on whether or not they are logged in + # (i.e. $userid contains the user's positive integer ID). + if ($userid) { + DisplayError("You are not authorized to access bug #$id."); + } else { + DisplayError( + qq|You are not authorized to access bug #$id. To see this bug, you + must first log in + to an account with the appropriate permissions.| + ); + } + exit; + } # check and see if a given string actually represents a positive -- cgit v1.2.1