diff options
| author | karl%kornel.name <> | 2005-11-20 10:31:35 +0100 |
|---|---|---|
| committer | karl%kornel.name <> | 2005-11-20 10:31:35 +0100 |
| commit | 3b2f0ca83f4670d408902a00bfe4264cee5c57aa (patch) | |
| tree | 3b684b276d8f99f718c93df6cd75bc8463afbd89 /template/en/default/admin/sudo.html.tmpl | |
| parent | 5ad7900f7b12f1b81bdc068282b7106be8aae407 (diff) | |
| download | bugzilla-3b2f0ca83f4670d408902a00bfe4264cee5c57aa.tar.gz bugzilla-3b2f0ca83f4670d408902a00bfe4264cee5c57aa.tar.xz | |
Bug 312441: relogin.cgi allows you to impersonate user accounts you are not allowed to see when 'usevisibilitygroups' is on - Patch by A. Karl Kornel <karl@kornel.name> r=LpSolit a=justdave
Diffstat (limited to 'template/en/default/admin/sudo.html.tmpl')
| -rw-r--r-- | template/en/default/admin/sudo.html.tmpl | 27 |
1 files changed, 17 insertions, 10 deletions
diff --git a/template/en/default/admin/sudo.html.tmpl b/template/en/default/admin/sudo.html.tmpl index 12aa586a6..4e781796c 100644 --- a/template/en/default/admin/sudo.html.tmpl +++ b/template/en/default/admin/sudo.html.tmpl @@ -66,7 +66,8 @@ <p> Next, please take a moment to explain why you are doing this:<br> - <input type="text" name="reason" size="80" maxlength="200"> + <input type="text" name="reason" size="80" maxlength="200" value=" + [%- reason_default FILTER html %]"> </p> <p> @@ -75,21 +76,27 @@ are impersonating them. </p> - <p> - Finally, click the button to begin the session: - <input type="submit" value="Begin Session"> - <input type="hidden" name="action" value="sudo-transition"> - </p> - - [% IF will_logout %] + [% IF user.get_flag("can_logout") %] <p> - When you press the button, you may be logged out and asked to log in - again. This is done for two reasons. First of all, it is done to reduce + Finally, enter your [% terms.Bugzilla %] password: + <input type="hidden" name="Bugzilla_login" value=" + [%- user.login FILTER html %]"> + <input type="password" name="Bugzilla_password" maxlength="20" size="20"> + <br> + This is done for two reasons. First of all, it is done to reduce the chances of someone doing large amounts of damage using your already-logged-in account. Second, it is there to force you to take the time to consider if you really need to use this feature. </p> [% END %] + + <p> + Click the button to begin the session: + <input type="submit" value="Begin Session"> + <input type="hidden" name="action" value="begin-sudo"> + <input type="hidden" name="token" value="[% token FILTER html %]"> + </p> + </form> [% PROCESS global/footer.html.tmpl %] |