Bug 340278: Move CheckCanChangeField() from process_bug.cgi to Bug.pm - Patch by…

Bugzilla/Bug.pm

@@ -100,7 +100,7 @@ sub initBug  {
   my ($bug_id, $user_id) = (@_);
   my $dbh = Bugzilla->dbh;
 
-  $bug_id = trim($bug_id);
+  $bug_id = trim($bug_id || 0);
 
   my $old_bug_id = $bug_id;
 
@@ -1166,6 +1166,138 @@ sub CheckIfVotedConfirmed {
     return $ret;
 }
 
+################################################################################
+# check_can_change_field() defines what users are allowed to change. You
+# can add code here for site-specific policy changes, according to the
+# instructions given in the Bugzilla Guide and below. Note that you may also
+# have to update the Bugzilla::Bug::user() function to give people access to the
+# options that they are permitted to change.
+#
+# check_can_change_field() returns true if the user is allowed to change this
+# field, and false if they are not.
+#
+# The parameters to this method are as follows:
+# $field    - name of the field in the bugs table the user is trying to change
+# $oldvalue - what they are changing it from
+# $newvalue - what they are changing it to
+# $PrivilegesRequired - return the reason of the failure, if any
+# $data     - hash containing relevant parameters, e.g. from the CGI object
+################################################################################
+sub check_can_change_field {
+    my $self = shift;
+    my ($field, $oldvalue, $newvalue, $PrivilegesRequired, $data) = (@_);
+    my $user = $self->{'who'};
+
+    $oldvalue = defined($oldvalue) ? $oldvalue : '';
+    $newvalue = defined($newvalue) ? $newvalue : '';
+
+    # Return true if they haven't changed this field at all.
+    if ($oldvalue eq $newvalue) {
+        return 1;
+    } elsif (trim($oldvalue) eq trim($newvalue)) {
+        return 1;
+    # numeric fields need to be compared using ==
+    } elsif (($field eq 'estimated_time' || $field eq 'remaining_time')
+             && $newvalue ne $data->{'dontchange'}
+             && $oldvalue == $newvalue)
+    {
+        return 1;
+    }
+
+    # Allow anyone to change comments.
+    if ($field =~ /^longdesc/) {
+        return 1;
+    }
+
+    # Ignore the assigned_to field if the bug is not being reassigned
+    if ($field eq 'assigned_to'
+        && $data->{'knob'} ne 'reassignbycomponent'
+        && $data->{'knob'} ne 'reassign')
+    {
+        return 1;
+    }
+
+    # If the user isn't allowed to change a field, we must tell him who can.
+    # We store the required permission set into the $PrivilegesRequired
+    # variable which gets passed to the error template.
+    #
+    # $PrivilegesRequired = 0 : no privileges required;
+    # $PrivilegesRequired = 1 : the reporter, assignee or an empowered user;
+    # $PrivilegesRequired = 2 : the assignee or an empowered user;
+    # $PrivilegesRequired = 3 : an empowered user.
+
+    # Allow anyone with "editbugs" privs to change anything.
+    if ($user->in_group('editbugs')) {
+        return 1;
+    }
+
+    # *Only* users with "canconfirm" privs can confirm bugs.
+    if ($field eq 'canconfirm'
+        || ($field eq 'bug_status'
+            && $oldvalue eq 'UNCONFIRMED'
+            && is_open_state($newvalue)))
+    {
+        $PrivilegesRequired = 3;
+        return $user->in_group('canconfirm');
+    }
+
+    # Make sure that a valid bug ID has been given.
+    if (!$self->{'error'}) {
+        # Allow the assignee to change anything else.
+        if ($self->{'assigned_to_id'} == $user->id) {
+            return 1;
+        }
+
+        # Allow the QA contact to change anything else.
+        if (Bugzilla->params->{'useqacontact'}
+            && $self->{'qa_contact_id'}
+            && ($self->{'qa_contact_id'} == $user->id))
+        {
+            return 1;
+        }
+    }
+
+    # At this point, the user is either the reporter or an
+    # unprivileged user. We first check for fields the reporter
+    # is not allowed to change.
+
+    # The reporter may not:
+    # - reassign bugs, unless the bugs are assigned to him;
+    #   in that case we will have already returned 1 above
+    #   when checking for the assignee of the bug.
+    if ($field eq 'assigned_to') {
+        $PrivilegesRequired = 2;
+        return 0;
+    }
+    # - change the QA contact
+    if ($field eq 'qa_contact') {
+        $PrivilegesRequired = 2;
+        return 0;
+    }
+    # - change the target milestone
+    if ($field eq 'target_milestone') {
+        $PrivilegesRequired = 2;
+        return 0;
+    }
+    # - change the priority (unless he could have set it originally)
+    if ($field eq 'priority'
+        && !Param('letsubmitterchoosepriority'))
+    {
+        $PrivilegesRequired = 2;
+        return 0;
+    }
+
+    # The reporter is allowed to change anything else.
+    if (!$self->{'error'} && $self->{'reporter_id'} == $user->id) {
+        return 1;
+    }
+
+    # If we haven't returned by this point, then the user doesn't
+    # have the necessary permissions to change this field.
+    $PrivilegesRequired = 1;
+    return 0;
+}
+
 #
 # Field Validation
 #

docs/xml/customization.xml

@@ -673,11 +673,11 @@
     <para>
       For maximum flexibility, customizing this means editing Bugzilla's Perl 
       code. This gives the administrator complete control over exactly who is
-      allowed to do what. The relevant function is called 
-      <filename>CheckCanChangeField()</filename>,
-      and is found in <filename>process_bug.cgi</filename> in your 
-      Bugzilla directory. If you open that file and search for 
-      <quote>sub CheckCanChangeField</quote>, you'll find it.
+      allowed to do what. The relevant method is called
+      <filename>check_can_change_field()</filename>,
+      and is found in <filename>Bug.pm</filename> in your
+      Bugzilla/ directory. If you open that file and search for
+      <quote>sub check_can_change_field</quote>, you'll find it.
     </para>
     
     <para>