From: Byron Jones <bjones@mozilla.com>
Date: Tue, 10 May 2011 05:47:46 +0000 (+0800)
Subject: Bug 28849: Block users from CCing other users if they do not have editbugs privs
X-Git-Tag: bugzilla-4.1.3~84
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=804336689c430040f478520ea6655260cbd6735d;p=thirdparty%2Fbugzilla.git

Bug 28849: Block users from CCing other users if they do not have editbugs privs
r=LpSolit, a=LpSolit
---

diff --git a/Bugzilla/Bug.pm b/Bugzilla/Bug.pm
index f3d635344b..4f5c0f236f 100644
--- a/Bugzilla/Bug.pm
+++ b/Bugzilla/Bug.pm
@@ -2658,6 +2658,10 @@ sub remove_cc {
     my ($self, $user_or_name) = @_;
     my $user = ref $user_or_name ? $user_or_name
                                  : Bugzilla::User->check($user_or_name);
+    my $currentUser = Bugzilla->user;
+    if (!$self->user->{'canedit'} && $user->id != $currentUser->id) {
+        ThrowUserError('cc_remove_denied');
+    }
     my $cc_users = $self->cc_users;
     @$cc_users = grep { $_->id != $user->id } @$cc_users;
 }
diff --git a/template/en/default/bug/edit.html.tmpl b/template/en/default/bug/edit.html.tmpl
index 0aa5f80af6..f64d589c92 100644
--- a/template/en/default/bug/edit.html.tmpl
+++ b/template/en/default/bug/edit.html.tmpl
@@ -830,16 +830,26 @@
             </div>
           [% END %]
           [% IF bug.cc %]
-            <select id="cc" name="cc" multiple="multiple" size="5">
+            <select id="cc" multiple="multiple" size="5"
+              [% IF bug.user.canedit %]name="cc"[% END %]>
               [% FOREACH c = bug.cc %]
                 <option value="[% c FILTER email FILTER html %]">
                   [% c FILTER email FILTER html %]</option>
               [% END %]
             </select>
-            [% IF user.id %]
+            [% IF user.id && !bug.user.canedit %]
+              <input type="hidden" name="cc" value="[% user.login FILTER email FILTER html %]">
+            [% END %]
+            [% IF user.id AND (bug.user.canedit OR bug.cc.contains(user.login)) %]
               <br>
               <input type="checkbox" id="removecc" name="removecc">
-              [%%]<label for="removecc">Remove selected CCs</label>
+              <label for="removecc">
+                [% IF bug.user.canedit %]
+                  Remove selected CCs
+                [% ELSE %]
+                  Remove me from the CC list
+                [% END %]
+              </label>
               <br>
             [% END %]
           [% END %]
diff --git a/template/en/default/global/user-error.html.tmpl b/template/en/default/global/user-error.html.tmpl
index 1dd747f30a..52bacc4575 100644
--- a/template/en/default/global/user-error.html.tmpl
+++ b/template/en/default/global/user-error.html.tmpl
@@ -280,6 +280,10 @@
                     'query.html#list' => "$terms.Bug lists"} %]
     You may not search, or create saved searches, without any search terms.
 
+  [% ELSIF error == "cc_remove_denied" %]
+    [% title = "Change Denied" %]
+    You do not have permission to remove other people from the CC list.
+
   [% ELSIF error == "chart_too_large" %]
     [% title = "Chart Too Large" %]
     Sorry, but 2000 x 2000 is the maximum size for a chart.