diff options
author | lpsolit%gmail.com <> | 2006-05-08 09:18:55 +0200 |
---|---|---|
committer | lpsolit%gmail.com <> | 2006-05-08 09:18:55 +0200 |
commit | 59578066a51ec9ef902e9a164d892d5d7e2a34ce (patch) | |
tree | 4dee1002c6d2b9a4e38aeaa110158bfbfcefc364 /process_bug.cgi | |
parent | de2473331317dee776a12421ed9cd38e8436f582 (diff) | |
download | bugzilla-59578066a51ec9ef902e9a164d892d5d7e2a34ce.tar.gz bugzilla-59578066a51ec9ef902e9a164d892d5d7e2a34ce.tar.xz |
Bug 337026: Users with no privs cannot edit bugs anymore (if being logged out first) - Patch by Frédéric Buclin <LpSolit@gmail.com> r/a=justdave
Diffstat (limited to 'process_bug.cgi')
-rwxr-xr-x | process_bug.cgi | 23 |
1 files changed, 23 insertions, 0 deletions
diff --git a/process_bug.cgi b/process_bug.cgi index 9ef459bec..8e93e3f09 100755 --- a/process_bug.cgi +++ b/process_bug.cgi @@ -838,6 +838,26 @@ sub ChangeResolution { if (!$cgi->param('dontchange') || $str ne $cgi->param('dontchange')) { + # Make sure the user is allowed to change the resolution. + # If the user is changing several bugs at once using the UI, + # then he has enough privs to do so. In the case he is hacking + # the URL, we don't care if he reads --UNKNOWN-- as a resolution + # in the error message. + my $old_resolution = '-- UNKNOWN --'; + my $bug_id = $cgi->param('id'); + if ($bug_id) { + $old_resolution = + $dbh->selectrow_array('SELECT resolution FROM bugs WHERE bug_id = ?', + undef, $bug_id); + } + unless (CheckCanChangeField('resolution', $bug_id, $old_resolution, $str)) { + $vars->{'oldvalue'} = $old_resolution; + $vars->{'newvalue'} = $str; + $vars->{'field'} = 'resolution'; + $vars->{'privs'} = $PrivilegesRequired; + ThrowUserError("illegal_change", $vars); + } + DoComma(); $::query .= "resolution = ?"; trick_taint($str); @@ -1539,6 +1559,9 @@ foreach my $id (@idlist) { } } foreach my $col (@::log_columns) { + # The 'resolution' field is checked by ChangeResolution(), + # i.e. only if we effectively use it. + next if ($col eq 'resolution'); if (exists $formhash{$col} && !CheckCanChangeField($col, $id, $oldhash{$col}, $formhash{$col})) { |