338875 - When 'strict_isolation' is on, we cannot move a bug to a new product and reassign to the default owner and QA contact if the old ones cannot edit the product

Status: NEW

(Bugzilla :: Creating/Changing Bugs, defect)

Description

[Frédéric Buclin]

process_bug.cgi makes sure the owner and QA contact can edit the product the bug is moved into when 'strict_isolation' is turned on, see lines 1464-1481. The problem is that it also checks that the old owner and QA contact can also edit this product, despite they will be thrown out of their respective role. This is too restrictive!

joel, I don't remember if we discussed this problem or not when implementing this feature, but we should relax this restriction.

Comment 1

[Joel Peshkin]

That mkes sense, but we will have to be careful about bugmail so that, if the old owner and QA are not able to see the new product AT ALL, they don't get too much information by bugmail.  Naturally, this is less of a problem if they are permitted to see, but not edit the new product.

Comment 2

[Frédéric Buclin]

I think BugMail.pm makes sure the user is allowed to see the bug, see around line 431: if ($user->can_see_bug($id)) {...}. AFAIK, BugMail.pm is also the one which checks that unauthorized people watching other users are excluded when the bug is restricted to some group.

Comment 3

[Frédéric Buclin]

The Bugzilla 3.0 branch is now locked to security bugs and dataloss fixes only. This bug doesn't fit into one of these two categories and is retargetted to 3.2 as part of a mass-change. To catch bugmails related to this mass-change, use lts081207 in your email client filter.

Comment 4

[Charlie Rice]

Attachment: same problem

Thanks from sucuptocir1983.