diff options
author | lpsolit%gmail.com <> | 2005-11-30 21:00:53 +0100 |
---|---|---|
committer | lpsolit%gmail.com <> | 2005-11-30 21:00:53 +0100 |
commit | d3395fe6bb0c74f4fe6e69387cba62ae633b7e27 (patch) | |
tree | 852fb0cb39326b9ff4e3ef2f0cc4dd2d5ebb5b56 /editusers.cgi | |
parent | 36246089ead57652b79c16d204164aec0a475a3c (diff) | |
download | bugzilla-d3395fe6bb0c74f4fe6e69387cba62ae633b7e27.tar.gz bugzilla-d3395fe6bb0c74f4fe6e69387cba62ae633b7e27.tar.xz |
Bug 314039: editusers.cgi edits user 0 if you don't pass a userid - Patch by Frédéric Buclin <LpSolit@gmail.com> r=wurblzap a=justdave
Diffstat (limited to 'editusers.cgi')
-rwxr-xr-x | editusers.cgi | 107 |
1 files changed, 67 insertions, 40 deletions
diff --git a/editusers.cgi b/editusers.cgi index c17e0c286..e9b61b13d 100755 --- a/editusers.cgi +++ b/editusers.cgi @@ -15,6 +15,7 @@ # # Contributor(s): Marc Schumann <wurblzap@gmail.com> # Lance Larsh <lance.larsh@oracle.com> +# Frédéric Buclin <LpSolit@gmail.com> use strict; use lib "."; @@ -29,14 +30,14 @@ use Bugzilla::Config; use Bugzilla::Constants; use Bugzilla::Util; use Bugzilla::Field; +use Bugzilla::Group; -Bugzilla->login(LOGIN_REQUIRED); +my $user = Bugzilla->login(LOGIN_REQUIRED); my $cgi = Bugzilla->cgi; my $template = Bugzilla->template; my $vars = {}; my $dbh = Bugzilla->dbh; -my $user = Bugzilla->user; my $userid = $user->id; my $editusers = $user->in_group('editusers'); @@ -48,19 +49,12 @@ $editusers action => "edit", object => "users"}); -print Bugzilla->cgi->header(); +print $cgi->header(); # Common CGI params -my $action = $cgi->param('action') || 'search'; -my $login = $cgi->param('login'); -my $password = $cgi->param('password'); -my $groupid = $cgi->param('groupid'); -my $otherUser = new Bugzilla::User($cgi->param('userid')); -my $realname = trim($cgi->param('name') || ''); -my $disabledtext = trim($cgi->param('disabledtext') || ''); - -# Directly from common CGI params derived values -my $otherUserID = $otherUser->id(); +my $action = $cgi->param('action') || 'search'; +my $otherUserID = $cgi->param('userid'); +my $otherUserLogin = $cgi->param('user'); # Prefill template vars with data used in all or nearly all templates $vars->{'editusers'} = $editusers; @@ -84,6 +78,13 @@ if ($action eq 'search') { my $nextCondition; my $visibleGroups; + # If a group ID is given, make sure it is a valid one. + my $group; + if ($grouprestrict) { + $group = new Bugzilla::Group(scalar $cgi->param('groupid')); + $group || ThrowUserError('invalid_group_ID'); + } + if (!$editusers && Param('usevisibilitygroups')) { # Show only users in visible groups. $visibleGroups = $user->visible_groups_as_string(); @@ -134,9 +135,8 @@ if ($action eq 'search') { # Handle selection by group. if ($grouprestrict eq '1') { - detaint_natural($groupid); my $grouplist = join(',', - @{Bugzilla::User->flatten_group_membership($groupid)}); + @{Bugzilla::User->flatten_group_membership($group->id)}); $query .= " $nextCondition profiles.userid = ugm.user_id " . "AND ugm.group_id IN($grouplist)"; } @@ -149,9 +149,9 @@ if ($action eq 'search') { } if ($matchtype eq 'exact' && scalar(@{$vars->{'users'}}) == 1) { - $otherUserID = $vars->{'users'}[0]->{'userid'}; - $otherUser = new Bugzilla::User($otherUserID); - edit_processing(); + my $match_user_id = $vars->{'users'}[0]->{'userid'}; + my $match_user = check_user($match_user_id); + edit_processing($match_user); } else { $template->process('admin/users/list.html.tmpl', $vars) || ThrowTemplateError($template->error()); @@ -172,6 +172,11 @@ if ($action eq 'search') { action => "add", object => "users"}); + my $login = $cgi->param('login'); + my $password = $cgi->param('password'); + my $realname = trim($cgi->param('name') || ''); + my $disabledtext = trim($cgi->param('disabledtext') || ''); + # Lock tables during the check+creation session. $dbh->bz_lock_tables('profiles WRITE', 'profiles_activity WRITE', @@ -196,11 +201,11 @@ if ($action eq 'search') { trick_taint($disabledtext); insert_new_user($login, $realname, $password, $disabledtext); - $otherUserID = $dbh->bz_last_key('profiles', 'userid'); + my $new_user_id = $dbh->bz_last_key('profiles', 'userid'); $dbh->bz_unlock_tables(); - my $newprofile = new Bugzilla::User($otherUserID); + my $newprofile = new Bugzilla::User($new_user_id); $newprofile->derive_regexp_groups(); - userDataToVars($otherUserID); + userDataToVars($new_user_id); $vars->{'message'} = 'account_created'; $template->process('admin/users/edit.html.tmpl', $vars) @@ -208,13 +213,14 @@ if ($action eq 'search') { ########################################################################### } elsif ($action eq 'edit') { - - edit_processing(); + my $otherUser = check_user($otherUserID, $otherUserLogin); + edit_processing($otherUser); ########################################################################### } elsif ($action eq 'update') { - $otherUser - || ThrowCodeError('invalid_user_id', {'userid' => $cgi->param('userid')}); + my $otherUser = check_user($otherUserID, $otherUserLogin); + $otherUserID = $otherUser->id; + my $logoutNeeded = 0; my @changedFields; @@ -240,9 +246,13 @@ if ($action eq 'search') { # Cleanups my $loginold = $cgi->param('loginold') || ''; my $realnameold = $cgi->param('nameold') || ''; - my $password = $cgi->param('password') || ''; my $disabledtextold = $cgi->param('disabledtextold') || ''; + my $login = $cgi->param('login'); + my $password = $cgi->param('password'); + my $realname = trim($cgi->param('name') || ''); + my $disabledtext = trim($cgi->param('disabledtext') || ''); + # Update profiles table entry; silently skip doing this if the user # is not authorized. if ($editusers) { @@ -289,7 +299,7 @@ if ($action eq 'search') { } if (@changedFields) { push (@values, $otherUserID); - $logoutNeeded && Bugzilla->logout_user_by_id($otherUserID); + $logoutNeeded && Bugzilla->logout_user($otherUser); $dbh->do('UPDATE profiles SET ' . join(' = ?,', @changedFields).' = ? ' . 'WHERE userid = ?', @@ -401,8 +411,8 @@ if ($action eq 'search') { ########################################################################### } elsif ($action eq 'del') { - $otherUser - || ThrowCodeError('invalid_user_id', {'userid' => $cgi->param('userid')}); + my $otherUser = check_user($otherUserID, $otherUserLogin); + $otherUserID = $otherUser->id; Param('allowuserdeletion') || ThrowUserError('users_deletion_disabled'); $editusers || ThrowUserError('auth_failure', {group => "editusers", @@ -469,9 +479,8 @@ if ($action eq 'search') { ########################################################################### } elsif ($action eq 'delete') { - $otherUser - || ThrowCodeError('invalid_user_id', {'userid' => $cgi->param('userid')}); - my $otherUserLogin = $otherUser->login(); + my $otherUser = check_user($otherUserID, $otherUserLogin); + $otherUserID = $otherUser->id; # Cache for user accounts. my %usercache = (0 => new Bugzilla::User()); @@ -516,7 +525,7 @@ if ($action eq 'search') { @{$otherUser->product_responsibilities()} && ThrowUserError('user_has_responsibility'); - Bugzilla->logout_user_by_id($otherUserID); + Bugzilla->logout_user($otherUser); # Get the timestamp for LogActivityEntry. my $timestamp = $dbh->selectrow_array('SELECT NOW()'); @@ -679,7 +688,7 @@ if ($action eq 'search') { $dbh->bz_unlock_tables(); $vars->{'message'} = 'account_deleted'; - $vars->{'otheruser'}{'login'} = $otherUserLogin; + $vars->{'otheruser'}{'login'} = $otherUser->login; $vars->{'restrictablegroups'} = $user->bless_groups(); $template->process('admin/users/search.html.tmpl', $vars) || ThrowTemplateError($template->error()); @@ -702,6 +711,27 @@ exit; # Helpers ########################################################################### +# Try to build a user object using its ID, else its login name, and throw +# an error if the user does not exist. +sub check_user { + my ($otherUserID, $otherUserLogin) = @_; + + my $otherUser; + my $vars = {}; + + if ($otherUserID) { + $otherUser = Bugzilla::User->new($otherUserID); + $vars->{'user_id'} = $otherUserID; + } + elsif ($otherUserLogin) { + $otherUser = Bugzilla::User->new_from_login($otherUserLogin); + $vars->{'user_login'} = $otherUserLogin; + } + ($otherUser && $otherUser->id) || ThrowCodeError('invalid_user', $vars); + + return $otherUser; +} + # Copy incoming list selection values from CGI params to template variables. sub mirrorListSelectionValues { if (defined($cgi->param('matchtype'))) { @@ -770,19 +800,16 @@ sub userDataToVars { } } -sub edit_processing -{ - $otherUser - || ThrowCodeError('invalid_user_id', {'userid' => $cgi->param('userid')}); +sub edit_processing { + my $otherUser = shift; $editusers || $user->can_see_user($otherUser) || ThrowUserError('auth_failure', {reason => "not_visible", action => "modify", object => "user"}); - userDataToVars($otherUserID); + userDataToVars($otherUser->id); $template->process('admin/users/edit.html.tmpl', $vars) || ThrowTemplateError($template->error()); - } |