diff options
| author | Dave Lawrence <dlawrence@mozilla.com> | 2012-08-10 22:57:23 +0200 |
|---|---|---|
| committer | Dave Lawrence <dlawrence@mozilla.com> | 2012-08-10 22:57:23 +0200 |
| commit | a05220de2e69d4b6ef212d1f3556fa848b6e1508 (patch) | |
| tree | 7383fb335d3db6290f46a81a3397b15c45bcdb70 | |
| parent | ecc6dfbcde8351fa37d7f7ed09b875d4eadb5027 (diff) | |
| download | bugzilla-a05220de2e69d4b6ef212d1f3556fa848b6e1508.tar.gz bugzilla-a05220de2e69d4b6ef212d1f3556fa848b6e1508.tar.xz | |
Bug 779088 - Allow extensions to whitelist PATH_INFO
r/a=LpSolit
| -rw-r--r-- | Bugzilla/CGI.pm | 12 | ||||
| -rw-r--r-- | Bugzilla/Hook.pm | 16 | ||||
| -rw-r--r-- | extensions/Example/Extension.pm | 110 |
3 files changed, 83 insertions, 55 deletions
diff --git a/Bugzilla/CGI.pm b/Bugzilla/CGI.pm index cb09c0066..febbff618 100644 --- a/Bugzilla/CGI.pm +++ b/Bugzilla/CGI.pm @@ -59,14 +59,20 @@ sub new { # Path-Info is of no use for Bugzilla and interacts badly with IIS. # Moreover, it causes unexpected behaviors, such as totally breaking - # the rendering of pages. Skip it! - print $self->redirect($self->url(-path => 0, -query => 1)) if $self->path_info; + # the rendering of pages. + my $script = basename($0); + if ($self->path_info) { + my @whitelist; + Bugzilla::Hook::process('path_info_whitelist', { whitelist => \@whitelist }); + if (!grep($_ eq $script, @whitelist)) { + print $self->redirect($self->url(-path => 0, -query => 1)); + } + } # Send appropriate charset $self->charset(Bugzilla->params->{'utf8'} ? 'UTF-8' : ''); # Redirect to urlbase/sslbase if we are not viewing an attachment. - my $script = basename($0); if ($self->url_is_attachment_base and $script ne 'attachment.cgi') { $self->redirect_to_urlbase(); } diff --git a/Bugzilla/Hook.pm b/Bugzilla/Hook.pm index 730170663..3b8b52805 100644 --- a/Bugzilla/Hook.pm +++ b/Bugzilla/Hook.pm @@ -1289,6 +1289,22 @@ your template. =back +=head2 path_info_whitelist + +By default, Bugzilla removes the Path-Info information from URLs before +passing data to CGI scripts. If this information is needed for your +customizations, you can enumerate the pages you want to whitelist here. + +Params: + +=over + +=item C<whitelist> + +An array of script names that will not have their Path-Info automatically +removed. + +=back =head2 post_bug_after_creation diff --git a/extensions/Example/Extension.pm b/extensions/Example/Extension.pm index 62fb345d9..f3efcb2a8 100644 --- a/extensions/Example/Extension.pm +++ b/extensions/Example/Extension.pm @@ -29,6 +29,20 @@ use constant REL_EXAMPLE => -127; our $VERSION = '1.0'; +sub admin_editusers_action { + my ($self, $args) = @_; + my ($vars, $action, $user) = @$args{qw(vars action user)}; + my $template = Bugzilla->template; + + if ($action eq 'my_action') { + # Allow to restrict the search to any group the user is allowed to bless. + $vars->{'restrictablegroups'} = $user->bless_groups(); + $template->process('admin/users/search.html.tmpl', $vars) + || ThrowTemplateError($template->error()); + exit; + } +} + sub attachment_process_data { my ($self, $args) = @_; my $type = $args->{attributes}->{mimetype}; @@ -65,6 +79,44 @@ sub auth_verify_methods { } } +sub bug_check_can_change_field { + my ($self, $args) = @_; + + my ($bug, $field, $new_value, $old_value, $priv_results) + = @$args{qw(bug field new_value old_value priv_results)}; + + my $user = Bugzilla->user; + + # Disallow a bug from being reopened if currently closed unless user + # is in 'admin' group + if ($field eq 'bug_status' && $bug->product_obj->name eq 'Example') { + if (!is_open_state($old_value) && is_open_state($new_value) + && !$user->in_group('admin')) + { + push(@$priv_results, PRIVILEGES_REQUIRED_EMPOWERED); + return; + } + } + + # Disallow a bug's keywords from being edited unless user is the + # reporter of the bug + if ($field eq 'keywords' && $bug->product_obj->name eq 'Example' + && $user->login ne $bug->reporter->login) + { + push(@$priv_results, PRIVILEGES_REQUIRED_REPORTER); + return; + } + + # Allow updating of priority even if user cannot normally edit the bug + # and they are in group 'engineering' + if ($field eq 'priority' && $bug->product_obj->name eq 'Example' + && $user->in_group('engineering')) + { + push(@$priv_results, PRIVILEGES_REQUIRED_NONE); + return; + } +} + sub bug_columns { my ($self, $args) = @_; my $columns = $args->{'columns'}; @@ -676,6 +728,12 @@ sub page_before_template { } } +sub path_info_whitelist { + my ($self, $args) = @_; + my $whitelist = $args->{whitelist}; + push(@$whitelist, "page.cgi"); +} + sub post_bug_after_creation { my ($self, $args) = @_; @@ -804,58 +862,6 @@ sub template_before_process { } } -sub bug_check_can_change_field { - my ($self, $args) = @_; - - my ($bug, $field, $new_value, $old_value, $priv_results) - = @$args{qw(bug field new_value old_value priv_results)}; - - my $user = Bugzilla->user; - - # Disallow a bug from being reopened if currently closed unless user - # is in 'admin' group - if ($field eq 'bug_status' && $bug->product_obj->name eq 'Example') { - if (!is_open_state($old_value) && is_open_state($new_value) - && !$user->in_group('admin')) - { - push(@$priv_results, PRIVILEGES_REQUIRED_EMPOWERED); - return; - } - } - - # Disallow a bug's keywords from being edited unless user is the - # reporter of the bug - if ($field eq 'keywords' && $bug->product_obj->name eq 'Example' - && $user->login ne $bug->reporter->login) - { - push(@$priv_results, PRIVILEGES_REQUIRED_REPORTER); - return; - } - - # Allow updating of priority even if user cannot normally edit the bug - # and they are in group 'engineering' - if ($field eq 'priority' && $bug->product_obj->name eq 'Example' - && $user->in_group('engineering')) - { - push(@$priv_results, PRIVILEGES_REQUIRED_NONE); - return; - } -} - -sub admin_editusers_action { - my ($self, $args) = @_; - my ($vars, $action, $user) = @$args{qw(vars action user)}; - my $template = Bugzilla->template; - - if ($action eq 'my_action') { - # Allow to restrict the search to any group the user is allowed to bless. - $vars->{'restrictablegroups'} = $user->bless_groups(); - $template->process('admin/users/search.html.tmpl', $vars) - || ThrowTemplateError($template->error()); - exit; - } -} - sub user_preferences { my ($self, $args) = @_; my $tab = $args->{current_tab}; |