diff options
| author | lpsolit%gmail.com <> | 2007-06-21 19:06:05 +0000 |
|---|---|---|
| committer | lpsolit%gmail.com <> | 2007-06-21 19:06:05 +0000 |
| commit | 1609f8fcf3d9b2b68cc0892e3948402020e4ea09 (patch) | |
| tree | 08667f3749828e2110aeb1e43efdb0747fe69222 | |
| parent | 275a10ab18b0e6c713a74ac37532022ff5ecd2ff (diff) | |
| download | bugs-1609f8fcf3d9b2b68cc0892e3948402020e4ea09.tar bugs-1609f8fcf3d9b2b68cc0892e3948402020e4ea09.tar.gz bugs-1609f8fcf3d9b2b68cc0892e3948402020e4ea09.tar.bz2 bugs-1609f8fcf3d9b2b68cc0892e3948402020e4ea09.tar.xz bugs-1609f8fcf3d9b2b68cc0892e3948402020e4ea09.zip | |
Bug 385209: Any (powerless) user who can see a restricted bug can remove the bug from non-mandatory groups, which should only be possible when moving the bug to another product - Patch by Frédéric Buclin <LpSolit@gmail.com> r=mkanat a=LpSolit
| -rwxr-xr-x | process_bug.cgi | 9 |
1 files changed, 8 insertions, 1 deletions
diff --git a/process_bug.cgi b/process_bug.cgi index 98b799670..f0cd560cd 100755 --- a/process_bug.cgi +++ b/process_bug.cgi @@ -227,6 +227,7 @@ if ($cgi->cookie("BUGLIST") && defined $cgi->param('id')) { defined($cgi->param('product')) || ThrowCodeError('undefined_field', { field => 'product' }); +my $product_change = 0; if ((defined $cgi->param('id') && $cgi->param('product') ne $bug->product) || (!$cgi->param('id') && $cgi->param('product') ne $cgi->param('dontchange'))) @@ -371,6 +372,7 @@ if ((defined $cgi->param('id') && $cgi->param('product') ne $bug->product) || ThrowTemplateError($template->error()); exit; } + $product_change = 1; } # At this point, the component must be defined, even if set to "dontchange". @@ -1387,7 +1389,12 @@ foreach my $id (@idlist) { } # When editing several bugs at once, only consider groups which # have been displayed. - elsif (defined $cgi->param('id') || defined $cgi->param("bit-$gid")) { + # Only members of a group can add/remove the bug to/from it, + # unless the bug is being moved to another product in which case + # non-members can also edit group restrictions. + elsif (($user->in_group_id($gid) || $product_change) + && (defined $cgi->param('id') || defined $cgi->param("bit-$gid"))) + { if (!$cgi->param("bit-$gid")) { delete $updated_groups{$gid}; } |