Skip to content

bugzilla
bugzilla
Commit 1327ff9a authored by Frédéric Buclin's avatar Frédéric Buclin
Browse files
Options

Bug 294021: Allow requestees to set attachment flags even if they don't have editbugs privs

r=gerv a=justdave
parent e477b10a
Hide whitespace changes
Inline Side-by-side
Showing with 55 additions and 26 deletions
Bugzilla/Attachment.pm
View file @ 1327ff9a
...@@ -700,28 +700,27 @@ sub get_attachments_by_bug { ...@@ -700,28 +700,27 @@ sub get_attachments_by_bug {
=pod =pod
=item C<validate_can_edit($attachment, $product_id)> =item C<validate_can_edit>
Description: validates if the user is allowed to view and edit the attachment. Description: validates if the user is allowed to view and edit the attachment.
Only the submitter or someone with editbugs privs can edit it. Only the submitter or someone with editbugs privs can edit it.
Only the submitter and users in the insider group can view Only the submitter and users in the insider group can view
private attachments. private attachments.
Params: $attachment - the attachment object being edited. Params: none
$product_id - the product ID the attachment belongs to.
Returns: 1 on success, 0 otherwise. Returns: 1 on success, 0 otherwise.
=cut =cut
sub validate_can_edit { sub validate_can_edit {
my ($attachment, $product_id) = @_; my $attachment = shift;
my $user = Bugzilla->user; my $user = Bugzilla->user;
# The submitter can edit their attachments. # The submitter can edit their attachments.
return ($attachment->attacher->id == $user->id return ($attachment->attacher->id == $user->id
|| ((!$attachment->isprivate || $user->is_insider) || ((!$attachment->isprivate || $user->is_insider)
&& $user->in_group('editbugs', $product_id))) ? 1 : 0; && $user->in_group('editbugs', $attachment->bug->product_id))) ? 1 : 0;
} }
=item C<validate_obsolete($bug, $attach_ids)> =item C<validate_obsolete($bug, $attach_ids)>
...@@ -758,7 +757,7 @@ sub validate_obsolete { ...@@ -758,7 +757,7 @@ sub validate_obsolete {
|| ThrowUserError('invalid_attach_id', $vars); || ThrowUserError('invalid_attach_id', $vars);
# Check that the user can view and edit this attachment. # Check that the user can view and edit this attachment.
$attachment->validate_can_edit($bug->product_id) $attachment->validate_can_edit
|| ThrowUserError('illegal_attachment_edit', { attach_id => $attachment->id }); || ThrowUserError('illegal_attachment_edit', { attach_id => $attachment->id });
if ($attachment->bug_id != $bug->bug_id) { if ($attachment->bug_id != $bug->bug_id) {
......
Bugzilla/Flag.pm
View file @ 1327ff9a
...@@ -825,7 +825,7 @@ sub extract_flags_from_cgi { ...@@ -825,7 +825,7 @@ sub extract_flags_from_cgi {
# Extract a list of existing flag IDs. # Extract a list of existing flag IDs.
my @flag_ids = map(/^flag-(\d+)$/ ? $1 : (), $cgi->param()); my @flag_ids = map(/^flag-(\d+)$/ ? $1 : (), $cgi->param());
return () if (!scalar(@flagtype_ids) && !scalar(@flag_ids)); return ([], []) unless (scalar(@flagtype_ids) || scalar(@flag_ids));
my (@new_flags, @flags); my (@new_flags, @flags);
foreach my $flag_id (@flag_ids) { foreach my $flag_id (@flag_ids) {
......
Bugzilla/WebService/Bug.pm
View file @ 1327ff9a
...@@ -852,7 +852,7 @@ sub update_attachment { ...@@ -852,7 +852,7 @@ sub update_attachment {
|| ThrowUserError("invalid_attach_id", { attach_id => $id }); || ThrowUserError("invalid_attach_id", { attach_id => $id });
my $bug = $attachment->bug; my $bug = $attachment->bug;
$attachment->_check_bug; $attachment->_check_bug;
$attachment->validate_can_edit($bug->product_id) $attachment->validate_can_edit
|| ThrowUserError("illegal_attachment_edit", { attach_id => $id }); || ThrowUserError("illegal_attachment_edit", { attach_id => $id });
push @attachments, $attachment; push @attachments, $attachment;
......
attachment.cgi
View file @ 1327ff9a
...@@ -626,7 +626,7 @@ sub update { ...@@ -626,7 +626,7 @@ sub update {
my $attachment = validateID(); my $attachment = validateID();
my $bug = $attachment->bug; my $bug = $attachment->bug;
$attachment->_check_bug; $attachment->_check_bug;
my $can_edit = $attachment->validate_can_edit($bug->product_id); my $can_edit = $attachment->validate_can_edit;
if ($can_edit) { if ($can_edit) {
$attachment->set_description(scalar $cgi->param('description')); $attachment->set_description(scalar $cgi->param('description'));
...@@ -680,11 +680,33 @@ sub update { ...@@ -680,11 +680,33 @@ sub update {
$bug->add_cc($user) if $cgi->param('addselfcc'); $bug->add_cc($user) if $cgi->param('addselfcc');
my ($flags, $new_flags) =
Bugzilla::Flag->extract_flags_from_cgi($bug, $attachment, $vars);
if ($can_edit) { if ($can_edit) {
my ($flags, $new_flags) =
Bugzilla::Flag->extract_flags_from_cgi($bug, $attachment, $vars);
$attachment->set_flags($flags, $new_flags); $attachment->set_flags($flags, $new_flags);
} }
# Requestees can set flags targetted to them, even if they cannot
# edit the attachment. Flag setters can edit their own flags too.
elsif (scalar @$flags) {
my %flag_list = map { $_->{id} => $_ } @$flags;
my $flag_objs = Bugzilla::Flag->new_from_list([keys %flag_list]);
my @editable_flags;
foreach my $flag_obj (@$flag_objs) {
if ($flag_obj->setter_id == $user->id
|| ($flag_obj->requestee_id && $flag_obj->requestee_id == $user->id))
{
push(@editable_flags, $flag_list{$flag_obj->id});
}
}
if (scalar @editable_flags) {
$attachment->set_flags(\@editable_flags, []);
# Flag changes must be committed.
$can_edit = 1;
}
}
# Figure out when the changes were made. # Figure out when the changes were made.
my $timestamp = $dbh->selectrow_array('SELECT LOCALTIMESTAMP(0)'); my $timestamp = $dbh->selectrow_array('SELECT LOCALTIMESTAMP(0)');
......
template/en/default/flag/list.html.tmpl
View file @ 1327ff9a
...@@ -6,7 +6,7 @@ ...@@ -6,7 +6,7 @@
# defined by the Mozilla Public License, v. 2.0. # defined by the Mozilla Public License, v. 2.0.
#%] #%]
[% IF user.id && !read_only_flags && (!bug || bug.check_can_change_field('flagtypes.name', 0, 1)) %] [% IF user.id && (!bug || bug.check_can_change_field('flagtypes.name', 0, 1)) %]
[%# We list flags by looping twice over the flag types relevant for the bug. [%# We list flags by looping twice over the flag types relevant for the bug.
# In the first loop, we display existing flags and then, for active types, # In the first loop, we display existing flags and then, for active types,
...@@ -41,7 +41,9 @@ ...@@ -41,7 +41,9 @@
[% FOREACH flag = type.flags %] [% FOREACH flag = type.flags %]
[% PROCESS flag_row flag = flag type = type %] [% PROCESS flag_row flag = flag type = type %]
[% END -%] [% END -%]
[% SET flag = "" %] [% SET flag = "" %]
[% NEXT IF read_only_flags %]
[%-# Step 1b: Display UI for setting flag. %] [%-# Step 1b: Display UI for setting flag. %]
[% IF (!type.flags || type.flags.size == 0) && type.is_active %] [% IF (!type.flags || type.flags.size == 0) && type.is_active %]
...@@ -49,16 +51,18 @@ ...@@ -49,16 +51,18 @@
[% END %] [% END %]
[% END %] [% END %]
[%# Step 2: Display flag type again (if type is multiplicable). %] [% IF !read_only_flags %]
[% FOREACH type = flag_types %] [%# Step 2: Display flag type again (if type is multiplicable). %]
[% NEXT UNLESS type.flags && type.flags.size > 0 && type.is_multiplicable && type.is_active %] [% FOREACH type = flag_types %]
[% IF !separator_displayed %] [% NEXT UNLESS type.flags && type.flags.size > 0 && type.is_multiplicable && type.is_active %]
<tbody class="bz_flag_type"> [% IF !separator_displayed %]
<tr><td colspan="3"><hr></td></tr> <tbody class="bz_flag_type">
</tbody> <tr><td colspan="3"><hr></td></tr>
[% separator_displayed = 1 %] </tbody>
[% separator_displayed = 1 %]
[% END %]
[% PROCESS flag_row type = type addl_text = "addl." %]
[% END %] [% END %]
[% PROCESS flag_row type = type addl_text = "addl." %]
[% END %] [% END %]
</table> </table>
...@@ -93,6 +97,7 @@ ...@@ -93,6 +97,7 @@
[% BLOCK flag_row %] [% BLOCK flag_row %]
[% RETURN IF !flag && !((type.is_requestable && user.can_request_flag(type)) || user.can_set_flag(type)) %] [% RETURN IF !flag && !((type.is_requestable && user.can_request_flag(type)) || user.can_set_flag(type)) %]
[% SET fid = flag ? "flag-$flag.id" : "flag_type-$type.id" %] [% SET fid = flag ? "flag-$flag.id" : "flag_type-$type.id" %]
[% can_edit_flag = (!read_only_flags || (flag && (flag.setter_id == user.id || (flag.requestee_id && flag.requestee_id == user.id)))) ? 1 : 0 %]
<tbody[% ' class="bz_flag_type"' IF !flag %]> <tbody[% ' class="bz_flag_type"' IF !flag %]>
<tr> <tr>
<td> <td>
...@@ -111,12 +116,13 @@ ...@@ -111,12 +116,13 @@
<select id="[% fid FILTER html %]" name="[% fid FILTER html %]" <select id="[% fid FILTER html %]" name="[% fid FILTER html %]"
title="[% type.description FILTER html %]" title="[% type.description FILTER html %]"
onchange="toggleRequesteeField(this);" onchange="toggleRequesteeField(this);"
class="flag_select flag_type-[% type.id %]"> class="flag_select flag_type-[% type.id %]"
[% IF !can_edit_flag %] disabled="disabled"[% END %]>
[%# Only display statuses the user is allowed to set. %] [%# Only display statuses the user is allowed to set. %]
[% IF !flag || user.can_request_flag(type) || flag.setter_id == user.id %] [% IF !flag || (can_edit_flag && user.can_request_flag(type)) || flag.setter_id == user.id %]
<option value="X"></option> <option value="X"></option>
[% END %] [% END %]
[% IF type.is_active %] [% IF type.is_active && can_edit_flag %]
[% IF (type.is_requestable && user.can_request_flag(type)) || (flag && flag.status == "?") %] [% IF (type.is_requestable && user.can_request_flag(type)) || (flag && flag.status == "?") %]
<option value="?" [% "selected" IF flag && flag.status == "?" %]>?</option> <option value="?" [% "selected" IF flag && flag.status == "?" %]>?</option>
[% END %] [% END %]
...@@ -136,12 +142,13 @@ ...@@ -136,12 +142,13 @@
[% IF (type.is_active && type.is_requestable && type.is_requesteeble) || (flag && flag.requestee) %] [% IF (type.is_active && type.is_requestable && type.is_requesteeble) || (flag && flag.requestee) %]
[% SET grant_list = [] %] [% SET grant_list = [] %]
[% IF Param('usemenuforusers') %] [% IF Param('usemenuforusers') %]
[% grant_list = type.grant_list %] [% IF !can_edit_flag || (flag && !(type.is_active && type.is_requestable && type.is_requesteeble)) %]
[% IF flag && !(type.is_active && type.is_requestable && type.is_requesteeble) %]
[%# We are here only because there was already a requestee. In this case, [%# We are here only because there was already a requestee. In this case,
the only valid action is to remove the requestee or leave it alone; the only valid action is to remove the requestee or leave it alone;
nothing else. %] nothing else. %]
[% grant_list = [flag.requestee] %] [% grant_list = [flag.requestee] %]
[% ELSE %]
[% grant_list = type.grant_list %]
[% END %] [% END %]
[% END %] [% END %]
[% SET flag_name = flag ? "requestee-$flag.id" : "requestee_type-$type.id" %] [% SET flag_name = flag ? "requestee-$flag.id" : "requestee_type-$type.id" %]
...@@ -156,6 +163,7 @@ ...@@ -156,6 +163,7 @@
emptyok => flag_empty_ok emptyok => flag_empty_ok
classes => ["requestee"] classes => ["requestee"]
custom_userlist => grant_list custom_userlist => grant_list
disabled => !can_edit_flag
%] %]
[% END %] [% END %]
</td> </td>
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment