diff options
| author | bugreport%peshkin.net <> | 2005-10-19 06:12:45 +0200 |
|---|---|---|
| committer | bugreport%peshkin.net <> | 2005-10-19 06:12:45 +0200 |
| commit | 89222752d44a4c99e6b901e95adf9e613d705815 (patch) | |
| tree | e7432b5b71d968e55f20fb04c412b524395ba85b /process_bug.cgi | |
| parent | 6372dbd5d9f79a86989897a14647ef5a4b0363eb (diff) | |
| download | bugzilla-89222752d44a4c99e6b901e95adf9e613d705815.tar.gz bugzilla-89222752d44a4c99e6b901e95adf9e613d705815.tar.xz | |
Bug 141593 You can add/remove dependencies on bugs you can't see
Patch by Joel Peshkin <bugreport@peshkin.net>
r=lpsolit, a=justdave
Diffstat (limited to 'process_bug.cgi')
| -rwxr-xr-x | process_bug.cgi | 28 |
1 files changed, 23 insertions, 5 deletions
diff --git a/process_bug.cgi b/process_bug.cgi index 0cc4a224f..adb6a3ded 100755 --- a/process_bug.cgi +++ b/process_bug.cgi @@ -43,6 +43,7 @@ use strict; my $UserInEditGroupSet = -1; my $UserInCanConfirmGroupSet = -1; my $PrivilegesRequired = 0; +my $lastbugid = 0; use lib qw(.); @@ -144,14 +145,32 @@ ValidateComment(scalar $cgi->param('comment')); # is a bug alias that gets converted to its corresponding bug ID # during validation. foreach my $field ("dependson", "blocked") { - if ($cgi->param($field)) { - my @validvalues; + if ($cgi->param('id')) { + my $bug = new Bugzilla::Bug($cgi->param('id'), $user->id); + my @old = @{$bug->$field}; + my @new; foreach my $id (split(/[\s,]+/, $cgi->param($field))) { next unless $id; ValidateBugID($id, $field); - push(@validvalues, $id); + push @new, $id; + } + $cgi->param($field, join(",", @new)); + my ($added, $removed) = Bugzilla::Util::diff_arrays(\@old, \@new); + foreach my $id (@$added , @$removed) { + # ValidateBugID is called without $field here so that it will + # throw an error if any of the changed bugs are not visible. + ValidateBugID($id); + if (!CheckCanChangeField($field, $bug->bug_id, 0, 1)) { + $vars->{'privs'} = $PrivilegesRequired; + $vars->{'field'} = $field; + ThrowUserError("illegal_change", $vars); + } } - $cgi->param($field, join(",", @validvalues)); + } else { + # Bugzilla does not support mass-change of dependencies so they + # are not validated. To prevent a URL-hacking risk, the dependencies + # are deleted for mass-changes. + $cgi->delete($field); } } @@ -353,7 +372,6 @@ if (((defined $cgi->param('id') && $cgi->param('product') ne $oldproduct) # now, the rules are pretty simple, and don't look at the field itself very # much, but that could be enhanced. -my $lastbugid = 0; my $ownerid; my $reporterid; my $qacontactid; |