From f3747a93ee8fd995c3d06483997fc259ab8414d6 Mon Sep 17 00:00:00 2001 From: "myk%mozilla.org" Date: Mon, 20 Aug 2001 20:36:10 +0000 Subject: [PATCH] Fix for bug 96085: don't allow unauthorized users to access restricted bugs that do not have a QA contact. Patch by Myk Melez r=Jake --- webtools/bugzilla/CGI.pl | 17 ++++++++++------- 1 file changed, 10 insertions(+), 7 deletions(-) diff --git a/webtools/bugzilla/CGI.pl b/webtools/bugzilla/CGI.pl index 21a4ccb6b594..ddf5fa14cc00 100644 --- a/webtools/bugzilla/CGI.pl +++ b/webtools/bugzilla/CGI.pl @@ -294,13 +294,16 @@ sub ValidateBugID { my ($isauthorized, $reporter, $assignee, $qacontact, $reporter_accessible, $assignee_accessible, $qacontact_accessible, $cclist_accessible) = FetchSQLData(); - # Finish validation and return if the user is authorized either by being - # a member of all necessary groups or by being the reporter, assignee, or QA contact. - return - if $isauthorized - || ($reporter_accessible && $reporter == $userid) - || ($assignee_accessible && $assignee == $userid) - || ($qacontact_accessible && $qacontact == $userid); + # Finish validation and return if the user is a member of all groups to which the bug belongs. + return if $isauthorized; + + # Finish validation and return if the user is in a role that has access to the bug. + if ($userid) { + return + if ($reporter_accessible && $reporter == $userid) + || ($assignee_accessible && $assignee == $userid) + || ($qacontact_accessible && $qacontact == $userid); + } # Try to authorize the user one more time by seeing if they are on # the cc: list. If so, finish validation and return.