From: mkanat%bugzilla.org <> Date: Wed, 8 Jul 2009 13:56:51 +0000 (+0000) Subject: Bug 495257: [SECURITY] Make check_can_change_field enforce permissions on confirming... X-Git-Tag: bugzilla-3.2.4~1 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=515696b9860c466b4e8ee558fcc90676ccec4bbf;p=thirdparty%2Fbugzilla.git Bug 495257: [SECURITY] Make check_can_change_field enforce permissions on confirming a bug and on which bug statuses a user can set Patch by Max Kanat-Alexander r=LpSolit, a=mkanat --- diff --git a/Bugzilla/Bug.pm b/Bugzilla/Bug.pm index 4aa224f6c0..ff8fffdf25 100644 --- a/Bugzilla/Bug.pm +++ b/Bugzilla/Bug.pm @@ -159,6 +159,7 @@ use constant UPDATE_VALIDATORS => { bug_status => \&_check_bug_status, cclist_accessible => \&Bugzilla::Object::check_boolean, dup_id => \&_check_dup_id, + everconfirmed => \&Bugzilla::Object::check_boolean, qa_contact => \&_check_qa_contact, reporter_accessible => \&Bugzilla::Object::check_boolean, resolution => \&_check_resolution, @@ -3248,6 +3249,7 @@ sub check_can_change_field { # *Only* users with (product-specific) "canconfirm" privs can confirm bugs. if ($field eq 'canconfirm' + || ($field eq 'everconfirmed' && $newvalue) || ($field eq 'bug_status' && $oldvalue eq 'UNCONFIRMED' && is_open_state($newvalue))) @@ -3303,6 +3305,18 @@ sub check_can_change_field { $$PrivilegesRequired = 2; return 0; } + # - unconfirm bugs (confirming them is handled above) + if ($field eq 'everconfirmed') { + $$PrivilegesRequired = 2; + return 0; + } + # - change the status from one open state to another + if ($field eq 'bug_status' + && is_open_state($oldvalue) && is_open_state($newvalue)) + { + $$PrivilegesRequired = 2; + return 0; + } # The reporter is allowed to change anything else. if (!$self->{'error'} && $self->{'reporter_id'} == $user->id) {