Patch for bug 265898: edit*.cgi files should all use ThrowUserError(); patch by Frédéric Buclin <LpSolit@gmail.com>, r=vladd, a=myk.

author: jocuri%softhome.net <> 2005-01-16 23:07:31 +0100
committer: jocuri%softhome.net <> 2005-01-16 23:07:31 +0100
commit: a1d58085aa7e7c2d3e1342b92c4887b0d22926f1 (patch)
tree: 282b82eb7d968d37e79f8926018dbe83d8f9b02f /editusers.cgi
parent: 0d26bef4816cffaf4ccd068162130b1af6b32fdb (diff)
download: bugzilla-a1d58085aa7e7c2d3e1342b92c4887b0d22926f1.tar.gz
bugzilla-a1d58085aa7e7c2d3e1342b92c4887b0d22926f1.tar.xz
1 files changed, 24 insertions, 47 deletions
diff --git a/editusers.cgi b/editusers.cgi
index 7f3eef3a9..a70e3fcf2 100755
--- a/editusers.cgi
+++ b/editusers.cgi
@@ -243,17 +243,12 @@ print Bugzilla->cgi->header();
 
 $editall = UserInGroup("editusers");
 
-if (!$editall) {
-    if (!Bugzilla->user->can_bless) {
-        PutHeader("Not allowed");
-        print "Sorry, you aren't a member of the 'editusers' group, and you\n";
-        print "don't have permissions to put people in or out of any group.\n";
-        print "And so, you aren't allowed to add, modify or delete users.\n";
-        PutTrailer();
-        exit;
-    }
-}
-
+$editall
+  || Bugzilla->user->can_bless
+  || ThrowUserError("auth_failure", {group  => "editusers",
+                                     reason => "cant_bless",
+                                     action => "edit",
+                                     object => "users"});
 
 
 #
@@ -385,13 +380,10 @@ if ($action eq 'list') {
 #
 
 if ($action eq 'add') {
+    $editall || ThrowUserError("auth_failure", {group  => "editusers",
+                                                action => "add",
+                                                object => "users"});
     PutHeader("Add user");
-    if (!$editall) {
-        print "Sorry, you don't have permissions to add new users.";
-        PutTrailer();
-        exit;
-    }
-
     print "<FORM METHOD=POST ACTION=editusers.cgi>\n";
     print "<TABLE BORDER=0 CELLPADDING=4 CELLSPACING=0><TR>\n";
 
@@ -415,13 +407,9 @@ if ($action eq 'add') {
 #
 
 if ($action eq 'new') {
-    PutHeader("Adding new user");
-
-    if (!$editall) {
-        print "Sorry, you don't have permissions to add new users.";
-        PutTrailer();
-        exit;
-    }
+    $editall || ThrowUserError("auth_failure", {group  => "editusers",
+                                                action => "add",
+                                                object => "users"});
 
     # Cleanups and valididy checks
     my $realname = trim($::FORM{realname} || '');
@@ -432,6 +420,7 @@ if ($action eq 'new') {
     my $disabledtext = trim($::FORM{disabledtext} || '');
     my $emailregexp = Param("emailregexp");
 
+    PutHeader("Adding new user");
     unless ($user) {
         print "You must enter a name for the new user. Please press\n";
         print "<b>Back</b> and try again.\n";
@@ -494,17 +483,10 @@ if ($action eq 'new') {
 #
 
 if ($action eq 'del') {
-    PutHeader("Delete user $user");
-    if (!$candelete) {
-        print "Sorry, deleting users isn't allowed.";
-        PutTrailer();
-        exit;
-    }
-    if (!$editall) {
-        print "Sorry, you don't have permissions to delete users.";
-        PutTrailer();
-        exit;
-    }
+    $candelete || ThrowUserError("users_deletion_disabled");
+    $editall || ThrowUserError("auth_failure", {group  => "editusers",
+                                                action => "delete",
+                                                object => "users"});
     CheckUser($user);
 
     # display some data about the user
@@ -514,6 +496,7 @@ if ($action eq 'del') {
       FetchSQLData();
     $realname = ($realname ? html_quote($realname) : "<FONT COLOR=\"red\">missing</FONT>");
     
+    PutHeader("Delete user $user");
     print "<TABLE BORDER=1 CELLPADDING=4 CELLSPACING=0>\n";
     print "<TR BGCOLOR=\"#6666FF\">\n";
     print "  <TH VALIGN=\"top\" ALIGN=\"left\">Part</TH>\n";
@@ -628,17 +611,10 @@ if ($action eq 'del') {
 #
 
 if ($action eq 'delete') {
-    PutHeader("Deleting user");
-    if (!$candelete) {
-        print "Sorry, deleting users isn't allowed.";
-        PutTrailer();
-        exit;
-    }
-    if (!$editall) {
-        print "Sorry, you don't have permissions to delete users.";
-        PutTrailer();
-        exit;
-    }
+    $candelete || ThrowUserError("users_deletion_disabled");
+    $editall || ThrowUserError("auth_failure", {group  => "editusers",
+                                                action => "delete",
+                                                object => "users"});
     CheckUser($user);
 
     SendSQL("SELECT userid
@@ -651,8 +627,9 @@ if ($action eq 'delete') {
              WHERE login_name=" . SqlQuote($user));
     SendSQL("DELETE FROM user_group_map
              WHERE user_id=" . $userid);
-    print "User deleted.<BR>\n";
 
+    PutHeader("Deleting user");
+    print "User deleted.<BR>\n";
     PutTrailer($localtrailer);
     exit;
 }
author	jocuri%softhome.net <>	2005-01-16 23:07:31 +0100
committer	jocuri%softhome.net <>	2005-01-16 23:07:31 +0100
commit	a1d58085aa7e7c2d3e1342b92c4887b0d22926f1 (patch)
tree	282b82eb7d968d37e79f8926018dbe83d8f9b02f /editusers.cgi
parent	0d26bef4816cffaf4ccd068162130b1af6b32fdb (diff)
download	bugzilla-a1d58085aa7e7c2d3e1342b92c4887b0d22926f1.tar.gz bugzilla-a1d58085aa7e7c2d3e1342b92c4887b0d22926f1.tar.xz