From: myk%mozilla.org <>
Date: Tue, 21 Aug 2001 03:36:10 +0000 (+0000)
Subject: Fix for bug 96085: don't allow unauthorized users to access restricted bugs that... 
X-Git-Tag: bugzilla-2.14~15
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=126c2d754cfd61217b1d097e9adac9092ac27a29;p=thirdparty%2Fbugzilla.git

Fix for bug 96085: don't allow unauthorized users to access restricted bugs that do not have a QA contact.
Patch by Myk Melez <myk@mozilla.org>
r=Jake <jake@acutex.net>
---

diff --git a/CGI.pl b/CGI.pl
index 21a4ccb6b5..ddf5fa14cc 100644
--- a/CGI.pl
+++ b/CGI.pl
@@ -294,13 +294,16 @@ sub ValidateBugID {
     my ($isauthorized, $reporter, $assignee, $qacontact, $reporter_accessible, 
         $assignee_accessible, $qacontact_accessible, $cclist_accessible) = FetchSQLData();
 
-    # Finish validation and return if the user is authorized either by being
-    # a member of all necessary groups or by being the reporter, assignee, or QA contact.
-    return
-      if $isauthorized 
-        || ($reporter_accessible && $reporter == $userid)
-        || ($assignee_accessible && $assignee == $userid)
-        || ($qacontact_accessible && $qacontact == $userid);
+    # Finish validation and return if the user is a member of all groups to which the bug belongs.
+    return if $isauthorized;
+
+    # Finish validation and return if the user is in a role that has access to the bug.
+    if ($userid) {
+        return 
+	  if ($reporter_accessible && $reporter == $userid)
+            || ($assignee_accessible && $assignee == $userid)
+              || ($qacontact_accessible && $qacontact == $userid);
+    }
 
     # Try to authorize the user one more time by seeing if they are on 
     # the cc: list.  If so, finish validation and return.