7 files changed, 28 insertions, 14 deletions

diff --git a/Bugzilla/WebService/Server.pm b/Bugzilla/WebService/Server.pm
index 4e0315219..feb80e9d0 100644
--- a/Bugzilla/WebService/Server.pm
+++ b/Bugzilla/WebService/Server.pm
@@ -25,6 +25,7 @@ use Scalar::Util qw(blessed);
 
 sub handle_login {
     my ($self, $class, $method, $full_method) = @_;
+    ThrowCodeError('unknown_method', {method => $full_method}) if !$class;
     eval "require $class";
     ThrowCodeError('unknown_method', {method => $full_method}) if $@;
     return if ($class->login_exempt($method) 
diff --git a/buglist.cgi b/buglist.cgi
index 6236a5669..0e73378a8 100755
--- a/buglist.cgi
+++ b/buglist.cgi
@@ -462,6 +462,8 @@ if ($cmdtype eq "dorem") {
 elsif (($cmdtype eq "doit") && defined $cgi->param('remtype')) {
     if ($cgi->param('remtype') eq "asdefault") {
         $user = Bugzilla->login(LOGIN_REQUIRED);
+        my $token = $cgi->param('token');
+        check_hash_token($token, ['searchknob']);
         InsertNamedQuery(DEFAULT_QUERY_NAME, $buffer);
         $vars->{'message'} = "buglist_new_default_query";
     }
diff --git a/js/field.js b/js/field.js
index e3fe460cf..5f01904cd 100644
--- a/js/field.js
+++ b/js/field.js
@@ -773,6 +773,7 @@ YAHOO.bugzilla.keywordAutocomplete = {
         }
         var keywordAutoComp = new YAHOO.widget.AutoComplete(field, container, this.dataSource);
         keywordAutoComp.maxResultsDisplayed = YAHOO.bugzilla.keyword_array.length;
+        keywordAutoComp.formatResult = keywordAutoComp.formatEscapedResult;
         keywordAutoComp.minQueryLength = 0;
         keywordAutoComp.useIFrame = true;
         keywordAutoComp.delimChar = [","," "];
diff --git a/query.cgi b/query.cgi
index b3b9aa443..bfb79e52c 100755
--- a/query.cgi
+++ b/query.cgi
@@ -39,6 +39,7 @@ use Bugzilla::Product;
 use Bugzilla::Keyword;
 use Bugzilla::Field;
 use Bugzilla::Install::Util qw(vers_cmp);
+use Bugzilla::Token;
 
 my $cgi = Bugzilla->cgi;
 my $dbh = Bugzilla->dbh;
@@ -51,6 +52,8 @@ my $userid = $user->id;
 
 if ($cgi->param('nukedefaultquery')) {
     if ($userid) {
+        my $token = $cgi->param('token');
+        check_hash_token($token, ['nukedefaultquery']);
         $dbh->do("DELETE FROM namedqueries" .
                  " WHERE userid = ? AND name = ?", 
                  undef, ($userid, DEFAULT_QUERY_NAME));
diff --git a/template/en/default/email/bugmail.html.tmpl b/template/en/default/email/bugmail.html.tmpl
index e42b5564d..f8f182548 100644
--- a/template/en/default/email/bugmail.html.tmpl
+++ b/template/en/default/email/bugmail.html.tmpl
@@ -33,6 +33,7 @@
           [% IF comment.count %]
             <b>[% "Comment # ${comment.count}" FILTER bug_link( bug, 
               {comment_num => comment.count, full_url => 1}) FILTER none %] 
+              on [% "$terms.bug $bug.id" FILTER bug_link( bug, { full_url => 1 }) FILTER none %]
               from [% INCLUDE global/user.html.tmpl who = comment.author %]</b>
           [% END %]
         <pre>[% comment.body_full({ wrap => 1 }) FILTER quoteUrls(bug, comment) %]</pre>
diff --git a/template/en/default/global/confirm-user-match.html.tmpl b/template/en/default/global/confirm-user-match.html.tmpl
index 5549b516d..cff20d237 100644
--- a/template/en/default/global/confirm-user-match.html.tmpl
+++ b/template/en/default/global/confirm-user-match.html.tmpl
@@ -150,8 +150,6 @@
                 [% ELSE %]
                   matched
                   <b>[% query.value.users.0.identity FILTER html %]</b>
-                  <input type="hidden" name="[% field.key FILTER html %]"
-                         value="[% query.value.users.0.login FILTER html %]">
                 [% END %]
             [% ELSE %]
                 [% IF (query.key.length < 3) && !Param('emailsuffix') %]
@@ -176,8 +174,10 @@
 
 [% IF matchsuccess == 1 %]
 
-  [% SET exclude_these = 
-           matches.keys.merge(['Bugzilla_login', 'Bugzilla_password']) %]
+  [% SET exclude_these = ['Bugzilla_login', 'Bugzilla_password'] %]
+  [% FOREACH key IN matches.keys %]
+    [% exclude_these.push(key) IF cgi.param(key) == '' %]
+  [% END %]
   [% SET exclude = '^' _ exclude_these.join('|') _ '$' %]
   [% PROCESS "global/hidden-fields.html.tmpl" exclude = exclude %]
 
diff --git a/template/en/default/search/knob.html.tmpl b/template/en/default/search/knob.html.tmpl
index 17ff63a10..e20822bf5 100644
--- a/template/en/default/search/knob.html.tmpl
+++ b/template/en/default/search/knob.html.tmpl
@@ -40,6 +40,9 @@
    "Last Changed" => "Last Changed" } %]
 
 <input type="hidden" name="cmdtype" value="doit">
+[% IF user.id %]
+  <input type="hidden" name="token" value="[% issue_hash_token(['searchknob']) FILTER html %]">
+[% END %]
 
 <p>
   <label for="order">Sort results by</label>:
@@ -56,7 +59,7 @@
   <input type="submit" id="[% button_name FILTER html %]"
          value="[% button_name FILTER html %]">
   [% IF known_name %]
-    [%# We store known_name in case the user add a boolean chart. %]
+    [%# We store known_name in case the user adds a boolean chart. %]
     <input type="hidden" name="known_name" value="[% known_name FILTER html %]">
 
     [%# The name of the existing query will be passed to buglist.cgi. %]
@@ -68,18 +71,21 @@
   [% END %]
 </p>
 
-<p>
-  &nbsp;&nbsp;&nbsp;
-  <input type="checkbox" id="remasdefault"
-         name="remtype" value="asdefault">
-  <label for="remasdefault">
-    and remember these as my default search options
-  </label>
-</p>
+[% IF user.id %]
+  <p>
+    &nbsp;&nbsp;&nbsp;
+    <input type="checkbox" id="remasdefault"
+           name="remtype" value="asdefault">
+    <label for="remasdefault">
+      and remember these as my default search options
+    </label>
+  </p>
+[% END %]
         
 [% IF userdefaultquery %]
   <p>
-    <a href="query.cgi?nukedefaultquery=1">
+    <a href="query.cgi?nukedefaultquery=1&amp;token=
+       [%- issue_hash_token(['nukedefaultquery']) FILTER uri %]">
       Set my default search back to the system default</a>.
   </p>
 [% END %]