Fix for bug 39816: Anyone in CC, Reporter, QA Contact, or Asigned To fields can now be given access to view a bug even if the permissions on that bug are set to a group that would normally exclude those people.

Patch by Myk Melez <myk@mozilla.org>
r= justdave@syndicomm.com

webtools/bugzilla/CGI.pl

@@ -266,33 +266,72 @@ sub ValidateBugID {
     # the user is a member of all groups to which the bug is restricted
     # and is authorized to access the bug.
 
+    # A user is also authorized to access a bug if she is the reporter, 
+    # assignee, QA contact, or member of the cc: list of the bug and the bug 
+    # allows users in those roles to see the bug.  The boolean fields 
+    # reporter_accessible, assignee_accessible, qacontact_accessible, and 
+    # cclist_accessible identify whether or not those roles can see the bug.
+
     # Bit arithmetic is performed by MySQL instead of Perl because bitset
     # fields in the database are 64 bits wide (BIGINT), and Perl installations
     # may or may not support integers larger than 32 bits.  Using bitsets
     # and doing bitset arithmetic is probably not cross-database compatible,
     # however, so these mechanisms are likely to change in the future.
-    SendSQL("SELECT ((groupset & $usergroupset) = groupset) 
-             FROM bugs WHERE bug_id = $id");
+
+    # Get data from the database about whether or not the user belongs to
+    # all groups the bug is in, and who are the bug's reporter and qa_contact
+    # along with which roles can always access the bug.
+    SendSQL("SELECT ((groupset & $usergroupset) = groupset) , reporter , assigned_to , qa_contact , 
+                    reporter_accessible , assignee_accessible , qacontact_accessible , cclist_accessible 
+             FROM   bugs 
+             WHERE  bug_id = $id");
 
     # Make sure the bug exists in the database.
     MoreSQLData()
       || DisplayError("Bug #$id does not exist.")
       && exit;
 
-    # Make sure the user is authorized to access the bug.
-    my ($isauthorized) = FetchSQLData();
-    $isauthorized
-      || (
-           $userid ?
-           DisplayError("You are not authorized to access bug #$id.") : 
-           DisplayError(
-             qq|You are not authorized to access bug #$id. 
-             To see this bug, you must first 
-             <a href="show_bug.cgi?id=$id&GoAheadAndLogIn=1">log in</a> 
-             to an account with the appropriate permissions.|
-           )
-         )
-      && exit;
+    my ($isauthorized, $reporter, $assignee, $qacontact, $reporter_accessible, 
+        $assignee_accessible, $qacontact_accessible, $cclist_accessible) = FetchSQLData();
+
+    # Finish validation and return if the user is authorized either by being
+    # a member of all necessary groups or by being the reporter, assignee, or QA contact.
+    return
+      if $isauthorized 
+        || ($reporter_accessible && $reporter == $userid)
+        || ($assignee_accessible && $assignee == $userid)
+        || ($qacontact_accessible && $qacontact == $userid);
+
+    # Try to authorize the user one more time by seeing if they are on 
+    # the cc: list.  If so, finish validation and return.
+    if ( $cclist_accessible ) {
+        my @cclist;
+        SendSQL("SELECT cc.who 
+                 FROM   bugs , cc
+                 WHERE  bugs.bug_id = $id
+                 AND    cc.bug_id = bugs.bug_id
+                ");
+        while (my ($ccwho) = FetchSQLData()) {
+            push @cclist , $ccwho;
+        }
+        return if grep($userid == $_ , @cclist);
+    }
+
+    # The user did not pass any of the authorization tests, which means they
+    # are not authorized to see the bug.  Display an error and stop execution.
+    # The error the user sees depends on whether or not they are logged in
+    # (i.e. $userid contains the user's positive integer ID).
+    if ($userid) {
+        DisplayError("You are not authorized to access bug #$id.");
+    } else {
+        DisplayError(
+          qq|You are not authorized to access bug #$id.  To see this bug, you
+          must first <a href="show_bug.cgi?id=$id&GoAheadAndLogIn=1">log in 
+          to an account</a> with the appropriate permissions.|
+        );
+    }
+    exit;
+
 }
 
 # check and see if a given string actually represents a positive

webtools/bugzilla/bug_form.pl

@@ -74,46 +74,24 @@ select
 	sum(votes.count)
 from bugs left join votes using(bug_id)
 where bugs.bug_id = $id
-and bugs.groupset & $::usergroupset = bugs.groupset
 group by bugs.bug_id";
 
 SendSQL($query);
 my %bug;
 my @row;
-if (@row = FetchSQLData()) {
-    my $count = 0;
-    foreach my $field ("bug_id", "product", "version", "rep_platform",
-		       "op_sys", "bug_status", "resolution", "priority",
-		       "bug_severity", "component", "assigned_to", "reporter",
-		       "bug_file_loc", "short_desc", "target_milestone",
-                       "qa_contact", "status_whiteboard", "creation_ts",
-                       "groupset", "delta_ts", "votes") {
-	$bug{$field} = shift @row;
-	if (!defined $bug{$field}) {
-	    $bug{$field} = "";
-	}
-	$count++;
+@row = FetchSQLData();
+my $count = 0;
+foreach my $field ("bug_id", "product", "version", "rep_platform",
+                   "op_sys", "bug_status", "resolution", "priority",
+                   "bug_severity", "component", "assigned_to", "reporter",
+                   "bug_file_loc", "short_desc", "target_milestone",
+                   "qa_contact", "status_whiteboard", "creation_ts",
+                   "groupset", "delta_ts", "votes") {
+    $bug{$field} = shift @row;
+    if (!defined $bug{$field}) {
+        $bug{$field} = "";
     }
-} else {
-    SendSQL("select groupset from bugs where bug_id = $id");
-    if (@row = FetchSQLData()) {
-        print "<H1>Permission denied.</H1>\n";
-        if ($loginok) {
-            print "Sorry; you do not have the permissions necessary to see\n";
-            print "bug $id.\n";
-        } else {
-            print "Sorry; bug $id can only be viewed when logged\n";
-            print "into an account with the appropriate permissions.  To\n";
-            print "see this bug, you must first\n";
-            print "<a href=\"show_bug.cgi?id=$id&GoAheadAndLogIn=1\">";
-            print "log in</a>.";
-        }
-    } else {
-        print "<H1>Bug not found</H1>\n";
-        print "There does not seem to be a bug numbered $id.\n";
-    }
-    PutFooter();
-    exit;
+    $count++;
 }
 
 my $assignedtoid = $bug{'assigned_to'};
@@ -205,7 +183,7 @@ print "
     make_options($::versions{$bug{'product'}}, $bug{'version'}) .
     "</SELECT></TD>
   <TD>&nbsp;</TD>
-    <TD ROWSPAN=4 ALIGN=RIGHT VALIGN=TOP><B>Cc:</B></TD>
+    <TD ROWSPAN=4 ALIGN=RIGHT VALIGN=TOP><B>CC:</B></TD>
     <TD ROWSPAN=4 VALIGN=TOP> $cc_element </TD>
 </TR><TR>
     <TD ALIGN=RIGHT><B><A HREF=\"bug_status.html\">Status:</A></B></TD>
@@ -401,8 +379,52 @@ if ($::usergroupset ne '0') {
         print "$description<br>\n";
       }
     }
+
+    # If the user is a member of an active bug group, then they also have the 
+    # ability to determine whether or not the reporter, assignee, QA contact, 
+    # or users on the cc: list should be able to see the bug even when they 
+    # are not members of the groups to which the bug is restricted, so display 
+    # checkboxes that allow the user to make these determinations.
+    SendSQL("SELECT bit FROM groups WHERE bit & $::usergroupset != 0 AND isbuggroup != 0 AND isactive = 1");
+    if ( FetchSQLData() ) {
+        # Determine whether or not the bug is always accessible by the reporter,
+        # QA contact, and/or users on the cc: list.
+        SendSQL("SELECT  reporter_accessible , assignee_accessible , 
+                         qacontact_accessible , cclist_accessible
+                 FROM    bugs
+                 WHERE   bug_id = $id
+                ");
+        my ($reporter_accessible, $assignee_accessible, $qacontact_accessible, $cclist_accessible) = FetchSQLData();
+
+        # Convert boolean data about which roles always have access to the bug
+        # into "checked" attributes for the HTML checkboxes by which users
+        # set and change these values.
+        my $reporter_checked = $reporter_accessible ? " checked" : "";
+        my $assignee_checked = $assignee_accessible ? " checked" : "";
+        my $qacontact_checked = $qacontact_accessible ? " checked" : "";
+        my $cclist_checked = $cclist_accessible ? " checked" : "";
+
+        # Display interface for changing the values.
+        print qq|
+            <p>
+            <b>But users in the roles selected below can always view this bug:</b><br>
+            <small>(Does not take effect unless the bug is restricted to at least one group.)</small>
+            </p>
+
+            <p>
+            <input type="checkbox" name="reporter_accessible" value="1" $reporter_checked>Reporter
+            <input type="checkbox" name="assignee_accessible" value="1" $assignee_checked>Assignee
+            <input type="checkbox" name="qacontact_accessible" value="1" $qacontact_checked>QA Contact
+            <input type="checkbox" name="cclist_accessible" value="1" $cclist_checked>CC List
+            </p>
+        |;
+    }
 }
 
+
+
+
+
 print "<br>
 <INPUT TYPE=radio NAME=knob VALUE=none CHECKED>
         Leave as <b>$bug{'bug_status'} $bug{'resolution'}</b><br>";

webtools/bugzilla/checksetup.pl

@@ -894,6 +894,10 @@ $table{bugs} =
     . '
     lastdiffed datetime not null,
     everconfirmed tinyint not null,
+    reporter_accessible tinyint not null default 1,
+    assignee_accessible tinyint not null default 1,
+    qacontact_accessible tinyint not null default 1,
+    cclist_accessible tinyint not null default 1,
 
     index (assigned_to),
     index (creation_ts),
@@ -2455,6 +2459,15 @@ if (GetFieldDef('bugs_activity', 'oldvalue')) {
 # http://bugzilla.mozilla.org/show_bug.cgi?id=90933
 ChangeFieldType("profiles", "disabledtext", "mediumtext not null");
 
+# 2001-07-26 myk@mozilla.org bug39816: 
+# Add fields to the bugs table that record whether or not the reporter,
+# assignee, QA contact, and users on the cc: list can see bugs even when
+# they are not members of groups to which the bugs are restricted.
+AddField("bugs", "reporter_accessible", "tinyint not null default 1");
+AddField("bugs", "assignee_accessible", "tinyint not null default 1");
+AddField("bugs", "qacontact_accessible", "tinyint not null default 1");
+AddField("bugs", "cclist_accessible", "tinyint not null default 1");
+
 # If you had to change the --TABLE-- definition in any way, then add your
 # differential change code *** A B O V E *** this comment.
 #

webtools/bugzilla/process_bug.cgi

@@ -529,6 +529,35 @@ if (defined $::FORM{'qa_contact'}) {
 
 
 
+
+# If the user is submitting changes from show_bug.cgi for a single bug
+# and they have access to an active bug group, process the flags that
+# indicate whether or not the reporter, assignee, QA contact, and users
+# on the CC list can see the bug regardless of its group restrictions.
+if ( $::FORM{'id'} ) {
+    SendSQL("SELECT bit FROM groups WHERE bit & $::usergroupset != 0 
+             AND isbuggroup != 0 AND isactive = 1");
+    my ($groupbits) = FetchSQLData();
+    if ( $groupbits ) {
+        DoComma();
+        $::FORM{'reporter_accessible'} = $::FORM{'reporter_accessible'} ? '1' : '0';
+        $::query .= "reporter_accessible = $::FORM{'reporter_accessible'}";
+
+        DoComma();
+        $::FORM{'assignee_accessible'} = $::FORM{'assignee_accessible'} ? '1' : '0';
+        $::query .= "assignee_accessible = $::FORM{'assignee_accessible'}";
+
+        DoComma();
+        $::FORM{'qacontact_accessible'} = $::FORM{'qacontact_accessible'} ? '1' : '0';
+        $::query .= "qacontact_accessible = $::FORM{'qacontact_accessible'}";
+
+        DoComma();
+        $::FORM{'cclist_accessible'} = $::FORM{'cclist_accessible'} ? '1' : '0';
+        $::query .= "cclist_accessible = $::FORM{'cclist_accessible'}";
+    }
+}
+
+
 my $removedCcString = "";
 my $duplicate = 0;