Open Bug 1136039 Opened 10 years ago Updated 1 year ago

Flags for attachments should only check the grant and request group restrictions (similar to bug flags), not for the editbugs group in general

Categories

(Bugzilla :: Attachments & Requests, enhancement)

Product:
Bugzilla
Component:
Attachments & Requests
Version:
4.4.8
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

()

Status:
UNCONFIRMED

People

(Reporter: mva, Unassigned)

Details

Attachments

(1 obsolete file)

User Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:35.0) Gecko/20100101 Firefox/35.0 Build ID: 20150206183955 Steps to reproduce: 1) Create a flag "approval" for attachments, requestable, multiplicable, etc. no grant or request group selection to allow everyone to request or set it. 2) Create a user with limited permissions (e.g. everyone), but no editbugs permissions. 3) Create a bug with an attachment and set the approval flag for it. - Open the attachment details of the bug as user from step 2 Actual results: The flag can not be set or requested, despite its grant and request group permissions. Expected results: The flag can be set or requested and flags on attachments behave the same way as flags on bugs. Right now, changing flags on attachments require the user to be the attachment submitter or to have editbugs permissions (internal can_edit flag in template/en/default/attachment/edit.html.tmpl). This however contradicts the request and grant group permissions for them.
You need to be allowed to edit attachment attributes to be allowed to edit attachment flags. The grant group and request group permit to add additional restrictions on the flags, not to replace existing rules. It is so by design.
Status: UNCONFIRMED → RESOLVED
Closed: 10 years ago
Resolution: --- → WORKSFORME
I would strongly vote for a change here, since the behaviour is not the same as for flags being placed on bugs. Either the one or other should be changed. Should I open another bug report for that?
(In reply to mva from comment #2) > I would strongly vote for a change here, since the behaviour is not the same > as for flags being placed on bugs. The behavior is mostly the same for bugs. If you are not allowed to edit a bug (CANEDIT bit turned on), you cannot edit bug flags either. As you said, the attachment creator is allowed to edit flags on his own attachments, unless the grant group and request group say otherwise, and this should cover most cases without allowing anyone to cause vandalism. There is no need to open a separate bug. If you strongly disagree with this rationale, feel free to reopen this bug, and reword the bug summary a bit to be clearer about what you are really asking for.
I rephrased the bug and verified this in a local bugzilla setup. A user with *everyone* being set as group, and without editbugs permissions, can set flags on a bug (indifferent, if its owned by the user or not), but not on an attachment, if there are no group restrictions (or the restrictions of the flag cover the groups of the user). The relevant code in template/en/bug/edit.html.tmpl checks, if the flag's group restrictions allow the user to set it (user.can_request_flag(), user.can_set_flag()). No check for the editbugs group is done here. The attachment code however checks for this. Either the one or the other (preferably my initial request) need to be fixed.
Status: RESOLVED → UNCONFIRMED
Resolution: WORKSFORME → ---
Summary: Flags for attachments ignore the grant and request group settings → Flags for attachments should only check the grant and request group restrictions (similar to bug flags), not for the editbugs group in general
Severity: normal → enhancement
Attachment #9384516 - Attachment is obsolete: true
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: