Bug 309681 Prevent users from adding another user who shouldn't have access to a bug as assignee or CC member

Patch by Gabriel Sales de Oliveira <gabriel@async.com.br>
r=joel, a=justdave
This commit is contained in:
bugreport%peshkin.net 2005-10-17 21:19:09 +00:00
Родитель e699398bb5
Коммит 5b8b2b2d99
8 изменённых файлов: 93 добавлений и 27 удалений

Просмотреть файл

@ -1303,6 +1303,17 @@ sub ValidateDependencies {
return %deps;
}
#Verify if the new assignee belongs to the group of
#the product that the bug(s) is in.
sub can_add_user_to_bug {
my ($prod_id, $id, $uid) = @_;
my $user = new Bugzilla::User($uid);
if (!$user->can_edit_product($prod_id)) {
ThrowUserError("invalid_user_group", { 'user' =>
$user->login, bug_id => $id });
}
}
sub AUTOLOAD {
use vars qw($AUTOLOAD);
my $attr = $AUTOLOAD;

Просмотреть файл

@ -74,6 +74,12 @@ sub get_param_list {
name => 'usevisibilitygroups',
type => 'b',
default => 0
},
{
name => 'strict_isolation',
type => 'b',
default => 0
} );
return @param_list;
}

Просмотреть файл

@ -382,6 +382,26 @@ sub can_see_user {
return Bugzilla->dbh->selectrow_array($query, undef, $otherUser->id);
}
sub can_edit_product {
my ($self, $prod_id) = @_;
my $dbh = Bugzilla->dbh;
my $sth = $self->{sthCanEditProductId};
my $userid = $self->{id};
my $query = q{SELECT group_id FROM group_control_map
WHERE product_id =?
AND canedit != 0 };
if (%{$self->groups}) {
my $groups = join(',', values(%{$self->groups}));
$query .= qq{AND group_id NOT IN($groups)};
}
unless ($sth) { $sth = $dbh->prepare($query); }
$sth->execute($prod_id);
$self->{sthCanEditProductId} = $sth;
my $result = $sth->fetchrow_array();
return (!defined($result));
}
sub can_see_bug {
my ($self, $bugid) = @_;
my $dbh = Bugzilla->dbh;
@ -1535,6 +1555,11 @@ that you need to be aware of a group in order to bless a group.
Returns 1 if the specified user account exists and is visible to the user,
0 otherwise.
=item C<can_edit_product(prod_id)>
Determines if, given a product id, the user can edit bugs in this product
at all.
=item C<can_see_bug(bug_id)>
Determines if the user can see the specified bug.

Просмотреть файл

@ -218,7 +218,7 @@ sub validateCanChangeAttachment
ON bugs.bug_id = attachments.bug_id
WHERE attach_id = $attachid");
my $productid = FetchOneColumn();
CanEditProductId($productid)
Bugzilla->user->can_edit_product_id($productid)
|| ThrowUserError("illegal_attachment_edit",
{ attach_id => $attachid });
}

Просмотреть файл

@ -372,27 +372,6 @@ sub AnyDefaultGroups {
return $::CachedAnyDefaultGroups;
}
#
# This function checks if, given a product id, the user can edit
# bugs in this product at all.
sub CanEditProductId {
my ($productid) = @_;
my $dbh = Bugzilla->dbh;
my $query = "SELECT group_id FROM group_control_map " .
"WHERE product_id = $productid " .
"AND canedit != 0 ";
if (%{Bugzilla->user->groups}) {
$query .= "AND group_id NOT IN(" .
join(',', values(%{Bugzilla->user->groups})) . ") ";
}
$query .= $dbh->sql_limit(1);
PushGlobalSQLState();
SendSQL($query);
my ($result) = FetchSQLData();
PopGlobalSQLState();
return (!defined($result));
}
sub IsInClassification {
my ($classification,$productname) = @_;

Просмотреть файл

@ -984,6 +984,11 @@ if (defined $cgi->param('qa_contact')
# The QA contact cannot be deleted from show_bug.cgi for a single bug!
if ($name ne $cgi->param('dontchange')) {
$qacontact = DBNameToIdAndCheck($name) if ($name ne "");
if (Param("strict_isolation")) {
my $product_id = get_product_id($cgi->param('product'));
Bugzilla::Bug::can_add_user_to_bug(
$product_id, $cgi->param('id'), $qacontact);
}
DoComma();
if($qacontact) {
$::query .= "qa_contact = $qacontact";
@ -1046,7 +1051,14 @@ SWITCH: for ($cgi->param('knob')) {
}
ChangeStatus('NEW');
DoComma();
if (!defined $cgi->param('assigned_to')
if (defined $cgi->param('assigned_to')) {
my $uid = DBNameToIdAndCheck($cgi->param('assigned_to'));
if (Param("strict_isolation")) {
my $product_id = get_product_id($cgi->param('product'));
Bugzilla::Bug::can_add_user_to_bug(
$product_id, $cgi->param('id'), $uid);
}
} elsif (!defined $cgi->param('assigned_to')
|| trim($cgi->param('assigned_to')) eq "") {
ThrowUserError("reassign_to_empty");
}
@ -1276,6 +1288,7 @@ sub LogDependencyActivity {
# show_bug.cgi).
#
foreach my $id (@idlist) {
my $bug_obj = new Bugzilla::Bug($id, $whoid);
my %dependencychanged;
$bug_changed = 0;
my $write = "WRITE"; # Might want to make a param to control
@ -1350,6 +1363,15 @@ foreach my $id (@idlist) {
ThrowUserError("illegal_change", $vars);
}
}
if ($cgi->param('assigned_to') && Param("strict_isolation")) {
my $uid = DBNameToIdAndCheck($cgi->param('assigned_to'));
Bugzilla::Bug::can_add_user_to_bug(
$bug_obj->{'product_id'}, $id, $uid);
}
if ($cgi->param('qa_contact') && Param("strict_isolation")) {
Bugzilla::Bug::can_add_user_to_bug(
$bug_obj->{'product_id'}, $id, $qacontact);
}
# When editing multiple bugs, users can specify a list of keywords to delete
# from bugs. If the list matches the current set of keywords on those bugs,
@ -1370,7 +1392,7 @@ foreach my $id (@idlist) {
}
$oldhash{'product'} = get_product_name($oldhash{'product_id'});
if (!CanEditProductId($oldhash{'product_id'})) {
if (!Bugzilla->user->can_edit_product($oldhash{'product_id'})) {
ThrowUserError("product_edit_denied",
{ product => $oldhash{'product'} });
}
@ -1565,7 +1587,22 @@ foreach my $id (@idlist) {
$oncc{FetchOneColumn()} = 1;
}
my (@added, @removed) = ();
my (@added, @removed, @blocked_cc) = ();
if (Param("strict_isolation")) {
foreach my $pid (keys %cc_add) {
my $user = Bugzilla::User->new($pid);
if (!$user->can_edit_product($bug_obj->{'product_id'})) {
push (@blocked_cc, $cc_add{$pid});
}
}
if (scalar(@blocked_cc)) {
my $blocked_cc = join(", ", @blocked_cc);
ThrowUserError("invalid_user_group",
{'user' => $blocked_cc , bug_id => $id });
}
}
foreach my $pid (keys %cc_add) {
# If this person isn't already on the cc list, add them
if (! $oncc{$pid}) {

Просмотреть файл

@ -47,5 +47,8 @@
"information.",
usevisibilitygroups => "Do you wish to restrict visibility of users to members of " _
"specific groups?" }
"specific groups?",
strict_isolation => "Don't allow users to assign, be qa-contacts or add to CC list " _
"any user that do not have permission to edit the bug." }
%]

Просмотреть файл

@ -665,6 +665,11 @@
[% title = "Invalid regular expression" %]
The regular expression you entered is invalid.
[% ELSIF error == "invalid_user_group" %]
[% title = "Invalid User Group" %]
User '[% user FILTER html %]' is not able to edit the
[% terms.bug %] '[% bug_id FILTER html %]'.
[% ELSIF error == "invalid_username" %]
[% title = "Invalid Username" %]
The name <tt>[% name FILTER html %]</tt> is not a valid username.