summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorlpsolit%gmail.com <>2007-03-11 17:55:21 +0100
committerlpsolit%gmail.com <>2007-03-11 17:55:21 +0100
commite15776a6d748b615a60596f5f065db0a380550cb (patch)
tree54b5e54ca8dfa2142428cd3ae75aa6b44aef3be8
parent065fa87760272df3ee648b8e09b24eba8d369944 (diff)
downloadbugzilla-e15776a6d748b615a60596f5f065db0a380550cb.tar.gz
bugzilla-e15776a6d748b615a60596f5f065db0a380550cb.tar.xz
Bug 354868: Race condition when changing user privs in editusers.cgi - Patch by Frédéric Buclin <LpSolit@gmail.com> r=wicked a=LpSolit
-rwxr-xr-xeditusers.cgi21
-rw-r--r--template/en/default/admin/users/edit.html.tmpl8
-rw-r--r--template/en/default/filterexceptions.pl2
3 files changed, 14 insertions, 17 deletions
diff --git a/editusers.cgi b/editusers.cgi
index b4e3f698e..076a2de98 100755
--- a/editusers.cgi
+++ b/editusers.cgi
@@ -235,7 +235,10 @@ if ($action eq 'search') {
'groups READ',
'user_group_map WRITE',
'group_group_map READ',
- 'group_group_map AS ggm READ');
+ 'group_group_map AS ggm READ',
+ 'user_group_map AS directmember READ',
+ 'user_group_map AS regexpmember READ',
+ 'user_group_map AS directbless READ');
$editusers || $user->can_see_user($otherUser)
|| ThrowUserError('auth_failure', {reason => "not_visible",
@@ -282,15 +285,16 @@ if ($action eq 'search') {
# silently.
# XXX: checking for existence of each user_group_map entry
# would allow to display a friendlier error message on page reloads.
+ userDataToVars($otherUserID);
+ my $permissions = $vars->{'permissions'};
foreach (@{$user->bless_groups()}) {
my $id = $$_{'id'};
my $name = $$_{'name'};
# Change memberships.
- my $oldgroupid = $cgi->param("oldgroup_$id") || '0';
- my $groupid = $cgi->param("group_$id") || '0';
- if ($groupid ne $oldgroupid) {
- if ($groupid eq '0') {
+ my $groupid = $cgi->param("group_$id") || 0;
+ if ($groupid != $permissions->{$id}->{'directmember'}) {
+ if (!$groupid) {
$sth_remove_mapping->execute(
$otherUserID, $id, 0, GRANT_DIRECT);
push(@groupsRemovedFrom, $name);
@@ -304,10 +308,9 @@ if ($action eq 'search') {
# Only members of the editusers group may change bless grants.
# Skip silently if this is not the case.
if ($editusers) {
- my $oldgroupid = $cgi->param("oldbless_$id") || '0';
- my $groupid = $cgi->param("bless_$id") || '0';
- if ($groupid ne $oldgroupid) {
- if ($groupid eq '0') {
+ my $groupid = $cgi->param("bless_$id") || 0;
+ if ($groupid != $permissions->{$id}->{'directbless'}) {
+ if (!$groupid) {
$sth_remove_mapping->execute(
$otherUserID, $id, 1, GRANT_DIRECT);
push(@groupsDeniedRightsToBless, $name);
diff --git a/template/en/default/admin/users/edit.html.tmpl b/template/en/default/admin/users/edit.html.tmpl
index abc124616..5712b6f57 100644
--- a/template/en/default/admin/users/edit.html.tmpl
+++ b/template/en/default/admin/users/edit.html.tmpl
@@ -72,9 +72,7 @@
name="bless_[% group.id %]"
value="1"
[% ' checked="checked"' IF perms.directbless %] />
- [% ']' IF perms.indirectbless %]
- [% %]<input type="hidden" name="oldbless_[% group.id %]"
- value="[% perms.directbless %]" /></td>
+ [% ']' IF perms.indirectbless %]</td>
[% END %]
<td class="checkbox">
[% '[' IF perms.derivedmember %]
@@ -85,9 +83,7 @@
value="1"
[% ' checked="checked"' IF perms.directmember %] />
[% '*' IF perms.regexpmember %]
- [% ']' IF perms.derivedmember %]
- [% %]<input type="hidden" name="oldgroup_[% group.id %]"
- value="[% perms.directmember %]" /></td>
+ [% ']' IF perms.derivedmember %]</td>
<td class="groupname">
<label for="group_[% group.id %]">
<strong>[% group.name FILTER html %]:</strong>
diff --git a/template/en/default/filterexceptions.pl b/template/en/default/filterexceptions.pl
index 3a25da7ae..0df0a0363 100644
--- a/template/en/default/filterexceptions.pl
+++ b/template/en/default/filterexceptions.pl
@@ -542,8 +542,6 @@
'admin/users/edit.html.tmpl' => [
'otheruser.id',
'group.id',
- 'perms.directbless',
- 'perms.directmember',
],
'admin/components/edit.html.tmpl' => [