Even if I don't have permission to, I can clear a flag by way of moving the bug into a product where the flag does not apply and moving it back into the product where it came from. Happened on b.m.o bug 364056 -- this is me assuming I don't have permission to clear blocking3.0 in the Bugzilla product, thus I'm filing this as UNCONFIRMED. See bug 286160, comment 1. I'm not really sure this is a sec bug, but better safe than sorry.
That's the desired effect. It's more important to let you move a bug into the right product than to prevent you from clearing a flag. Moreover, you have enough privs to clear the flag anyway as you don't need to be in the grant group of the flag type to remove +/-. This group is here only to limit who can set the flag to +/-, not the opposite.
This is not the desired effect for most developers using BMO, but it does seem to be the opinion of bugzilla developers (see bug 261995, this is basically a dupe of that one). However, while I may grumble loudly about losing flags without warning or notice for unrestricted flags (and I *do* grumble), it is a separate bug that people can get around flag-setting permissions by forcing a product change. bug 303183 is similar, only dealing with groups instead of flags. If there are restrictions on setting some bit of data then that restriction should also prevent changing other fields that implicitly change the restricted field. This is a conflict between whether it's more important to categorize a bug properly or keep the flags/groups set properly. Categorization appears important, but given the potential damage from revealing a security exploit or losing track of an important bug for a release (because bugzilla sucks at branch managment) the other data is equally important.
(19:38:10) LpSolit: dveditz: see bug 291391 (19:38:31) LpSolit: dveditz: the restriction you are talking about has been relaxed in this bug (19:39:10) dveditz: setting a flag to ? is different than clearing it, but OK (19:39:29) LpSolit: dveditz: no, read comment 2 (19:40:07) dveditz: yeah, I did. thus "but OK" (19:40:15) dveditz: I bow to reality (19:40:58) dveditz: alright, I guess you can dupe it to 261995 *** This bug has been marked as a duplicate of 261995 ***
Also note bug 349077.