diff options
author | terry%mozilla.org <> | 1999-05-28 00:17:25 +0200 |
---|---|---|
committer | terry%mozilla.org <> | 1999-05-28 00:17:25 +0200 |
commit | f47c0339e2c258c878e6284970d917dcd3960cba (patch) | |
tree | ce7a23f45dfc55420b74e8cb4c7c4fb956261421 /showdependencytree.cgi | |
parent | 9b1a447768cf2986a77c341274a254f06fe9d79d (diff) | |
download | bugzilla-f47c0339e2c258c878e6284970d917dcd3960cba.tar.gz bugzilla-f47c0339e2c258c878e6284970d917dcd3960cba.tar.xz |
Patched minor security hole; don't show summary of bugs that the user
doesn't have permission to see.
Diffstat (limited to 'showdependencytree.cgi')
-rwxr-xr-x | showdependencytree.cgi | 8 |
1 files changed, 7 insertions, 1 deletions
diff --git a/showdependencytree.cgi b/showdependencytree.cgi index 92964648f..f457d67a3 100755 --- a/showdependencytree.cgi +++ b/showdependencytree.cgi @@ -37,6 +37,10 @@ PutHeader("Dependency tree", "Dependency tree", "Bug $linkedid"); ConnectToDatabase(); +quietly_check_login(); + +$::usergroupset = $::usergroupset; # More warning suppression silliness. + my %seen; sub DumpKids { @@ -53,8 +57,10 @@ sub DumpKids { if (@list) { print "<ul>\n"; foreach my $kid (@list) { - SendSQL("select bug_status, short_desc from bugs where bug_id = $kid"); + SendSQL("select bug_status, short_desc from bugs where bug_id = $kid and bugs.groupset & $::usergroupset = bugs.groupset"); my ($stat, $short_desc) = (FetchSQLData()); + $stat = "NEW" if !defined $stat; + $short_desc = "" if !defined $short_desc; my $opened = ($stat eq "NEW" || $stat eq "ASSIGNED" || $stat eq "REOPENED"); print "<li>"; |