From 1609f8fcf3d9b2b68cc0892e3948402020e4ea09 Mon Sep 17 00:00:00 2001 From: "lpsolit%gmail.com" <> Date: Thu, 21 Jun 2007 19:06:05 +0000 Subject: =?UTF-8?q?Bug=20385209:=20Any=20(powerless)=20user=20who=20can=20?= =?UTF-8?q?see=20a=20restricted=20bug=20can=20remove=20the=20bug=20from=20?= =?UTF-8?q?non-mandatory=20groups,=20which=20should=20only=20be=20possible?= =?UTF-8?q?=20when=20moving=20the=20bug=20to=20another=20product=20-=20Pat?= =?UTF-8?q?ch=20by=20Fr=C3=83=C2=A9d=C3=83=C2=A9ric=20Buclin=20=20r=3Dmkanat=20a=3DLpSolit?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- process_bug.cgi | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/process_bug.cgi b/process_bug.cgi index 98b799670..f0cd560cd 100755 --- a/process_bug.cgi +++ b/process_bug.cgi @@ -227,6 +227,7 @@ if ($cgi->cookie("BUGLIST") && defined $cgi->param('id')) { defined($cgi->param('product')) || ThrowCodeError('undefined_field', { field => 'product' }); +my $product_change = 0; if ((defined $cgi->param('id') && $cgi->param('product') ne $bug->product) || (!$cgi->param('id') && $cgi->param('product') ne $cgi->param('dontchange'))) @@ -371,6 +372,7 @@ if ((defined $cgi->param('id') && $cgi->param('product') ne $bug->product) || ThrowTemplateError($template->error()); exit; } + $product_change = 1; } # At this point, the component must be defined, even if set to "dontchange". @@ -1387,7 +1389,12 @@ foreach my $id (@idlist) { } # When editing several bugs at once, only consider groups which # have been displayed. - elsif (defined $cgi->param('id') || defined $cgi->param("bit-$gid")) { + # Only members of a group can add/remove the bug to/from it, + # unless the bug is being moved to another product in which case + # non-members can also edit group restrictions. + elsif (($user->in_group_id($gid) || $product_change) + && (defined $cgi->param('id') || defined $cgi->param("bit-$gid"))) + { if (!$cgi->param("bit-$gid")) { delete $updated_groups{$gid}; } -- cgit v1.2.1