Bug 121576: fields should not be editable when viewing a bug if the user is not logged in

Patch by Olav Vitters <olav@bkor.dhs.org> r=LpSolit a=justdave

diff --git a/Bugzilla/Bug.pm b/Bugzilla/Bug.pm
index 597d52f53c267eefa8430e0769746cd8e6282571..afb8c567af3c5af6ccc3e88559e4044045ac2578 100755 (executable)
--- a/Bugzilla/Bug.pm
+++ b/Bugzilla/Bug.pm
@@ -1192,14 +1192,7 @@ sub user {
     my $user = Bugzilla->user;
     my $canmove = Bugzilla->params->{'move-enabled'} && $user->is_mover;
 
-    # In the below, if the person hasn't logged in, then we treat them
-    # as if they can do anything.  That's because we don't know why they
-    # haven't logged in; it may just be because they don't use cookies.
-    # Display everything as if they have all the permissions in the
-    # world; their permissions will get checked when they log in and
-    # actually try to make the change.
-    my $unknown_privileges = !$user->id
-                             || $user->in_group("editbugs");
+    my $unknown_privileges = $user->in_group("editbugs");
     my $canedit = $unknown_privileges
                   || $user->id == $self->{assigned_to_id}
                   || (Bugzilla->params->{'useqacontact'}

diff --git a/template/en/default/bug/edit.html.tmpl b/template/en/default/bug/edit.html.tmpl
index ee13bbc2f2f8bd72190a6bbd35080dfff970bf61..a896bd6820d641a849bbc536094e405cf0e62f27 100644 (file)
--- a/template/en/default/bug/edit.html.tmpl
+++ b/template/en/default/bug/edit.html.tmpl
@@ -20,6 +20,7 @@
   #                 Vaskin Kissoyan <vkissoyan@yahoo.com>
   #                 Max Kanat-Alexander <mkanat@bugzilla.org>
   #                 Frédéric Buclin <LpSolit@gmail.com>
+  #                 Olav Vitters <olav@bkor.dhs.org>
   #%]
 
 [% PROCESS global/variables.none.tmpl %]
@@ -215,7 +216,7 @@
               [% FOREACH field = fields %]
                 <tr>
                   [% PROCESS bug/field.html.tmpl value=bug.${field.name}
-                                                 editable = bug.check_can_change_field(field.name, 0, 1) || !user.id
+                                                 editable = bug.check_can_change_field(field.name, 0, 1)
                                                  value_span = 2 %]
                 </tr>
               [% END %]
@@ -262,10 +263,22 @@
           <table cellspacing="1" cellpadding="1">
             <tr>
               <td colspan="2" valign="top">
-                [% IF bug.flag_types.size > 0 %]
-                  [% PROCESS "flag/list.html.tmpl" flag_no_header = 1
-                                                   flag_types = bug.flag_types
-                                                   any_flags_requesteeble = bug.any_flags_requesteeble %]
+                [% IF user.id %]
+                  [% IF bug.flag_types.size > 0 %]
+                    [% PROCESS "flag/list.html.tmpl" flag_no_header = 1
+                                                     flag_types = bug.flag_types
+                                                     any_flags_requesteeble = bug.any_flags_requesteeble %]
+                  [% END %]
+                [% ELSE %]
+                  [% FOREACH type = bug.flag_types %]
+                    [% FOREACH flag = type.flags %]
+                        [% flag.setter.nick FILTER html %]:
+                        [%+ type.name FILTER html FILTER no_break %][% flag.status %]
+                        [%+ IF flag.requestee %]
+                          ([% flag.requestee.nick FILTER html %])
+                        [% END %]<br>
+                    [% END %]
+                  [% END %]
                 [% END %]
               </td>
             </tr>
@@ -362,40 +375,42 @@
   <br>
   <table cellpadding="1" cellspacing="1">
     <tr>
-      <td>
-        <label for="comment" accesskey="c"><b>Additional <u>C</u>omments</b></label>:
-        [% IF Param("insidergroup") && user.in_group(Param("insidergroup")) %]
-          <input type="checkbox" name="commentprivacy" value="1"
-                 id="newcommentprivacy"
-                 onClick="updateCommentTagControl(this, form)">
-          <label for="newcommentprivacy">Private</label>
-        [% END %]
-        <br>
-        <a name="add_comment"></a>
-        [% INCLUDE global/textarea.html.tmpl
-                   name      = 'comment'
-                   id        = 'comment'
-                   minrows   = 10
-                   maxrows   = 25
-                   cols      = constants.COMMENT_COLS
-        %]
-
-        [% IF NOT bug.cc || NOT bug.cc.contains(user.login) %]
-          [% has_role = bug.user.isreporter
-                        || bug.assigned_to.id == user.id
-                        || (Param('useqacontact')
-                            && bug.qa_contact
-                            && bug.qa_contact.id == user.id) %]
-
+      [% IF user.id %]
+        <td>
+          <label for="comment" accesskey="c"><b>Additional <u>C</u>omments</b></label>:
+          [% IF Param("insidergroup") && user.in_group(Param("insidergroup")) %]
+            <input type="checkbox" name="commentprivacy" value="1"
+                   id="newcommentprivacy"
+                   onClick="updateCommentTagControl(this, form)">
+            <label for="newcommentprivacy">Private</label>
+          [% END %]
           <br>
-          <input type="checkbox" id="addselfcc" name="addselfcc"
-            [% " checked=\"checked\""
-                 IF user.settings.state_addselfcc.value == 'always'
-                    || (!has_role
-                        && user.settings.state_addselfcc.value == 'cc_unless_role') %]>
-          <label for="addselfcc">Add [% user.identity FILTER html %] to CC list</label>
-        [% END %]
-      </td>
+          <a name="add_comment"></a>
+          [% INCLUDE global/textarea.html.tmpl
+                     name      = 'comment'
+                     id        = 'comment'
+                     minrows   = 10
+                     maxrows   = 25
+                     cols      = constants.COMMENT_COLS
+          %]
+
+          [% IF NOT bug.cc || NOT bug.cc.contains(user.login) %]
+            [% has_role = bug.user.isreporter
+                          || bug.assigned_to.id == user.id
+                          || (Param('useqacontact')
+                              && bug.qa_contact
+                              && bug.qa_contact.id == user.id) %]
+
+            <br>
+            <input type="checkbox" id="addselfcc" name="addselfcc"
+              [% " checked=\"checked\""
+                   IF user.settings.state_addselfcc.value == 'always'
+                      || (!has_role
+                          && user.settings.state_addselfcc.value == 'cc_unless_role') %]>
+            <label for="addselfcc">Add [% user.identity FILTER html %] to CC list</label>
+          [% END %]
+        </td>
+      [% END %]
 
       <td valign="top">
         <fieldset>
@@ -491,7 +506,7 @@
     [% END %]
   [% END %]
 
-[% PROCESS bug/knob.html.tmpl %]
+[% PROCESS bug/knob.html.tmpl IF user.id %]
 
 [%# *** Additional Comments *** %]
 
@@ -500,7 +515,7 @@
 <div id="comments">
 [% PROCESS bug/comments.html.tmpl
    comments = bug.longdescs
-   mode = "edit"
+   mode = user.id ? "edit" : "show"
  %]
 </div>
 
@@ -658,7 +673,7 @@
         <label for="qa_contact" accesskey="q"><b><u>Q</u>A Contact</b></label>:
       </td>
       <td colspan="7">
-        [% IF bug.check_can_change_field("qa_contact", 0, 1) || !user.id %]
+        [% IF bug.check_can_change_field("qa_contact", 0, 1) %]
           [% INCLUDE global/userselect.html.tmpl
               id => "qa_contact"
               name => "qa_contact"
@@ -667,7 +682,7 @@
               emptyok => 1
           %]
         [% ELSE %]
-          <input type="hidden" name="qa_contact"
+          <input type="hidden" name="qa_contact" id="qa_contact"
                  value="[% bug.qa_contact.login FILTER html %]">
           <a href="mailto:[% bug.qa_contact.email FILTER html %]">
             [% IF bug.qa_contact.login && bug.qa_contact.login.length > 30 %]
@@ -683,20 +698,22 @@
     </tr>
     [% END %]
 
-    <tr>
-      <td align="right" valign="top">
-        <label for="newcc" accesskey="a"><b><u>A</u>dd&nbsp;CC</b></label>:
-      </td>
-      <td>
-         [% INCLUDE global/userselect.html.tmpl
-            id => "newcc"
-            name => "newcc"
-            value => ""
-            size => 30
-            multiple => 5
-          %]
-      </td>
-    </tr>
+    [% IF user.id %]
+      <tr>
+        <td align="right" valign="top">
+          <label for="newcc" accesskey="a"><b><u>A</u>dd&nbsp;CC</b></label>:
+        </td>
+        <td>
+           [% INCLUDE global/userselect.html.tmpl
+              id => "newcc"
+              name => "newcc"
+              value => ""
+              size => 30
+              multiple => 5
+            %]
+        </td>
+      </tr>
+    [% END %]
 
     <tr>
       [% IF bug.cc %]
@@ -704,15 +721,18 @@
           <label for="cc"><b>CC</b></label>:
         </td>
         <td valign="top">
-          <select id="cc" name="cc" multiple="multiple" size="5">
+          <select id="cc" name="cc" multiple="multiple" size="5"
+                  [%- " disabled=\"disabled\"" IF !user.id %]>
           [% FOREACH c = bug.cc %]
             <option value="[% c FILTER html %]">[% c FILTER html %]</option>
           [% END %]
           </select>
-          <br>
-          <input type="checkbox" id="removecc" name="removecc">
-          [%%]<label for="removecc">Remove selected CCs</label>
-          <br>
+          [% IF user.id %]
+            <br>
+            <input type="checkbox" id="removecc" name="removecc">
+            [%%]<label for="removecc">Remove selected CCs</label>
+            <br>
+          [% END %]
         </td>
       [% ELSE %]
         <td colspan="2"><input type="hidden" name="cc" value=""></td>
@@ -736,11 +756,11 @@
   [% END %]
   </td>
   <td>
-    [% IF bug.check_can_change_field(dep.fieldname, 0, 1) || !user.id %]
+    [% IF bug.check_can_change_field(dep.fieldname, 0, 1) %]
       <input name="[% dep.fieldname %]" id="[% dep.fieldname %]"
              value="[% bug.${dep.fieldname}.join(', ') %]">
     [% ELSE %]
-      <input type="hidden" name="[% dep.fieldname %]"
+      <input type="hidden" id="[% dep.fieldname %]" name="[% dep.fieldname %]"
              value="[% bug.${dep.fieldname}.join(', ') %]">
     [% END %]
   </td>
@@ -753,7 +773,7 @@
 
 [% BLOCK select %]
   <td>
-    [% IF bug.check_can_change_field(selname, 0, 1) || !user.id %]
+    [% IF bug.check_can_change_field(selname, 0, 1) %]
       <select id="[% selname %]" name="[% selname %]">
         [% FOREACH x = bug.choices.${selname} %]
           <option value="[% x FILTER html %]"
@@ -762,7 +782,7 @@
         [% END %]
       </select>
     [% ELSE %]
-      <input type="hidden" name="[% selname %]" value="[% bug.${selname} FILTER html %]">
+      <input type="hidden" id="[% selname %]" name="[% selname %]" value="[% bug.${selname} FILTER html %]">
       [% bug.${selname} FILTER html %]
     [% END %]
   </td>
@@ -775,7 +795,7 @@
 [% BLOCK input %]
   <td[% " colspan=\"$colspan\"" IF colspan %]>
     [% val = value ? value : bug.$inputname %]
-    [% IF bug.check_can_change_field(inputname, 0, 1) || !user.id %]
+    [% IF bug.check_can_change_field(inputname, 0, 1) %]
        <input id="[% inputname %]" name="[% inputname %]"
               value="[% val FILTER html %]"[% " size=\"$size\"" IF size %]
               [% " maxlength=\"$maxlength\"" IF maxlength %]>

diff --git a/template/en/default/filterexceptions.pl b/template/en/default/filterexceptions.pl
index 58988b68e2057a096aa848f343b45be662dadd7d..2057e397401ca07aa200f44522b918ccb47c2754 100644 (file)
--- a/template/en/default/filterexceptions.pl
+++ b/template/en/default/filterexceptions.pl
@@ -319,7 +319,8 @@
   'inputname',
   '" colspan=\"$colspan\"" IF colspan',
   '" size=\"$size\"" IF size',
-  '" maxlength=\"$maxlength\"" IF maxlength'
+  '" maxlength=\"$maxlength\"" IF maxlength',
+  'flag.status',
 ],
 
 'bug/knob.html.tmpl' => [