summaryrefslogtreecommitdiffstats
path: root/editfields.cgi
diff options
context:
space:
mode:
authorlpsolit%gmail.com <>2006-10-15 07:02:09 +0200
committerlpsolit%gmail.com <>2006-10-15 07:02:09 +0200
commit93815fc7619567cc962e053280c5ed0b19492feb (patch)
treeffc99d8156c41fbd0d5ab8801324adead2ef4436 /editfields.cgi
parent6fcfcb93eda16108f71b4c96010bae95cde622cd (diff)
downloadbugzilla-93815fc7619567cc962e053280c5ed0b19492feb.tar.gz
bugzilla-93815fc7619567cc962e053280c5ed0b19492feb.tar.xz
Bug 281181: [SECURITY] It's way too easy to delete versions/components/milestones etc... - Patch by Frédéric Buclin <LpSolit@gmail.com> r=mkanat a=myk
Diffstat (limited to 'editfields.cgi')
-rw-r--r--editfields.cgi15
1 files changed, 9 insertions, 6 deletions
diff --git a/editfields.cgi b/editfields.cgi
index 67b72e98d..a77aafe77 100644
--- a/editfields.cgi
+++ b/editfields.cgi
@@ -23,6 +23,7 @@ use Bugzilla::Constants;
use Bugzilla::Error;
use Bugzilla::Util;
use Bugzilla::Field;
+use Bugzilla::Token;
my $cgi = Bugzilla->cgi;
my $template = Bugzilla->template;
@@ -36,6 +37,7 @@ $user->in_group('admin')
object => 'custom_fields'});
my $action = trim($cgi->param('action') || '');
+my $token = $cgi->param('token');
print $cgi->header();
@@ -46,10 +48,13 @@ if (!$action) {
}
# Interface to add a new custom field.
elsif ($action eq 'add') {
+ $vars->{'token'} = issue_session_token('add_field');
+
$template->process('admin/custom_fields/create.html.tmpl', $vars)
|| ThrowTemplateError($template->error());
}
elsif ($action eq 'new') {
+ check_token_data($token, 'add_field');
my $name = clean_text($cgi->param('name') || '');
my $desc = clean_text($cgi->param('desc') || '');
my $type = trim($cgi->param('type') || FIELD_TYPE_FREETEXT);
@@ -93,6 +98,7 @@ elsif ($action eq 'new') {
$vars->{'is_obsolete'} = $cgi->param('obsolete') ? 1 : 0;
Bugzilla::Field::create_or_update($vars);
+ delete_token($token);
$vars->{'message'} = 'custom_field_created';
@@ -109,11 +115,13 @@ elsif ($action eq 'edit') {
$field || ThrowUserError('customfield_nonexistent', {'name' => $name});
$vars->{'field'} = $field;
+ $vars->{'token'} = issue_session_token('edit_field');
$template->process('admin/custom_fields/edit.html.tmpl', $vars)
|| ThrowTemplateError($template->error());
}
elsif ($action eq 'update') {
+ check_token_data($token, 'edit_field');
my $name = $cgi->param('name');
my $desc = clean_text($cgi->param('desc') || '');
my $sortkey = $cgi->param('sortkey') || 0;
@@ -144,18 +152,13 @@ elsif ($action eq 'update') {
$vars->{'is_obsolete'} = $cgi->param('obsolete') ? 1 : 0;
Bugzilla::Field::create_or_update($vars);
+ delete_token($token);
$vars->{'message'} = 'custom_field_updated';
$template->process('admin/custom_fields/list.html.tmpl', $vars)
|| ThrowTemplateError($template->error());
}
-elsif ($action eq 'del') {
- die "not yet implemented...\n";
-}
-elsif ($action eq 'delete') {
- die "not yet implemented...\n";
-}
else {
ThrowUserError('no_valid_action', {'field' => 'custom_field'});
}