1149055 - flag requestees are unable to set an attachment flag via a the update_attachment webservice if they do not have editbugs

Status: RESOLVED FIXED

(Bugzilla :: WebService, defect)

Description

[:glob ✱]

if you set the requestee of a flag to a user without editbugs, they are able to set the flag via the bugzilla web user interface.

however when calling the update_attachment webservice method, the user requires the ability to edit the attachment and the update fails with:

> You are not authorized to edit attachment 2 [details] [diff] [review]

this is because the B::W::Bug::update_attachment always calls:

> $attachment->validate_can_edit
>     || ThrowUserError("illegal_attachment_edit", { attach_id => $id });

it pains me to see this sort of logic outside of Bugzilla::Attachment, but that's a story for another day.

attachment.cgi has special logic for this scenario, with the following comment:

> # Requestees can set flags targetted to them, even if they cannot
> # edit the attachment. Flag setters can edit their own flags too.

this needs to be mirrored by the webservice.

Comment 1

[:glob ✱]

Attachment: 1149055_1.patch

Comment 2

[David Lawrence [:dkl]]

Comment on attachment 8585510 [details] [diff] [review]
1149055_1.patch

Review of attachment 8585510 [details] [diff] [review]:
-----------------------------------------------------------------

r=dkl

Comment 3

[:glob ✱]

To ssh://gitolite3@git.mozilla.org/bugzilla/bugzilla.git
   33a4bd4..e4362da  master -> master

To ssh://gitolite3@git.mozilla.org/bugzilla/bugzilla.git
   fff3c76..ae30ea2  5.0 -> 5.0