summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--Bugzilla/Bug.pm35
-rw-r--r--Bugzilla/Search/Quicksearch.pm7
-rwxr-xr-xshow_bug.cgi24
-rw-r--r--template/en/default/bug/comments.html.tmpl3
-rw-r--r--template/en/default/global/user-error.html.tmpl8
5 files changed, 44 insertions, 33 deletions
diff --git a/Bugzilla/Bug.pm b/Bugzilla/Bug.pm
index eae23d995..2e9ed52e0 100644
--- a/Bugzilla/Bug.pm
+++ b/Bugzilla/Bug.pm
@@ -358,12 +358,14 @@ sub check {
# Bugzilla::Bug throws lots of special errors, so we don't call
# SUPER::check, we just call our new and do our own checks.
- my $self = $class->new(trim($id));
- # For error messages, use the id that was returned by new(), because
- # it's cleaned up.
- $id = $self->id;
+ $id = trim($id);
+ my $self = $class->new($id);
if ($self->{error}) {
+ # For error messages, use the id that was returned by new(), because
+ # it's cleaned up.
+ $id = $self->id;
+
if ($self->{error} eq 'NotFound') {
ThrowUserError("bug_id_does_not_exist", { bug_id => $id });
}
@@ -375,7 +377,7 @@ sub check {
}
unless ($field && $field =~ /^(dependson|blocked|dup_id)$/) {
- $self->check_is_visible;
+ $self->check_is_visible($id);
}
return $self;
}
@@ -391,16 +393,19 @@ sub check_for_edit {
}
sub check_is_visible {
- my $self = shift;
+ my ($self, $input_id) = @_;
+ $input_id ||= $self->id;
my $user = Bugzilla->user;
if (!$user->can_see_bug($self->id)) {
# The error the user sees depends on whether or not they are
# logged in (i.e. $user->id contains the user's positive integer ID).
+ # If we are validating an alias, then use it in the error message
+ # instead of its corresponding bug ID, to not disclose it.
if ($user->id) {
- ThrowUserError("bug_access_denied", { bug_id => $self->id });
+ ThrowUserError("bug_access_denied", { bug_id => $input_id });
} else {
- ThrowUserError("bug_access_query", { bug_id => $self->id });
+ ThrowUserError("bug_access_query", { bug_id => $input_id });
}
}
}
@@ -1471,9 +1476,7 @@ sub _check_dependencies {
: split(/[\s,]+/, $deps_in{$type});
# Eliminate nulls.
@bug_ids = grep {$_} @bug_ids;
- # We do this up here to make sure all aliases are converted to IDs.
- @bug_ids = map { $invocant->check($_, $type)->id } @bug_ids;
-
+
my @check_access = @bug_ids;
# When we're updating a bug, only added or removed bug_ids are
# checked for whether or not we can see/edit those bugs.
@@ -1503,7 +1506,8 @@ sub _check_dependencies {
}
}
}
-
+ # Replace all aliases by their corresponding bug ID.
+ @bug_ids = map { $_ =~ /^(\d+)$/ ? $1 : $invocant->check($_, $type)->id } @bug_ids;
$deps_in{$type} = \@bug_ids;
}
@@ -1520,8 +1524,9 @@ sub _check_dependencies {
sub _check_dup_id {
my ($self, $dupe_of) = @_;
my $dbh = Bugzilla->dbh;
-
- $dupe_of = trim($dupe_of);
+
+ # Store the bug ID/alias passed by the user for visibility checks.
+ my $orig_dupe_of = $dupe_of = trim($dupe_of);
$dupe_of || ThrowCodeError('undefined_field', { field => 'dup_id' });
# Validate the bug ID. The second argument will force check() to only
# make sure that the bug exists, and convert the alias to the bug ID
@@ -1534,7 +1539,7 @@ sub _check_dup_id {
# If we come here, then the duplicate is new. We have to make sure
# that we can view/change it (issue A on bug 96085).
- $dupe_of_bug->check_is_visible;
+ $dupe_of_bug->check_is_visible($orig_dupe_of);
# Make sure a loop isn't created when marking this bug
# as duplicate.
diff --git a/Bugzilla/Search/Quicksearch.pm b/Bugzilla/Search/Quicksearch.pm
index 10f3f768b..17c5635ff 100644
--- a/Bugzilla/Search/Quicksearch.pm
+++ b/Bugzilla/Search/Quicksearch.pm
@@ -285,9 +285,10 @@ sub _handle_alias {
if ($searchstring =~ /^([^,\s]+)$/) {
my $alias = $1;
# We use this direct SQL because we want quicksearch to be VERY fast.
- my $is_alias = Bugzilla->dbh->selectrow_array(
- q{SELECT 1 FROM bugs WHERE alias = ?}, undef, $alias);
- if ($is_alias) {
+ my $bug_id = Bugzilla->dbh->selectrow_array(
+ q{SELECT bug_id FROM bugs WHERE alias = ?}, undef, $alias);
+ # If the user cannot see the bug, do not resolve its alias.
+ if ($bug_id && Bugzilla->user->can_see_bug($bug_id)) {
$alias = url_quote($alias);
print Bugzilla->cgi->redirect(
-uri => correct_urlbase() . "show_bug.cgi?id=$alias");
diff --git a/show_bug.cgi b/show_bug.cgi
index 0da4c4842..48d75512b 100755
--- a/show_bug.cgi
+++ b/show_bug.cgi
@@ -13,8 +13,7 @@ use lib qw(. lib);
use Bugzilla;
use Bugzilla::Constants;
use Bugzilla::Error;
-use Bugzilla::User;
-use Bugzilla::Keyword;
+use Bugzilla::Util;
use Bugzilla::Bug;
my $cgi = Bugzilla->cgi;
@@ -38,7 +37,7 @@ if (!$cgi->param('id') && $single) {
my $format = $template->get_format("bug/show", scalar $cgi->param('format'),
scalar $cgi->param('ctype'));
-my @bugs;
+my (@bugs, @illegal_bugs);
my %marks;
# If the user isn't logged in, we use data from the shadow DB. If he plans
@@ -64,22 +63,23 @@ if ($single) {
foreach my $id ($cgi->param('id')) {
# Be kind enough and accept URLs of the form: id=1,2,3.
my @ids = split(/,/, $id);
- foreach (@ids) {
- my $bug = new Bugzilla::Bug($_);
- # This is basically a backwards-compatibility hack from when
- # Bugzilla::Bug->new used to set 'NotPermitted' if you couldn't
- # see the bug.
- if (!$bug->{error} && !$user->can_see_bug($bug->bug_id)) {
- $bug->{error} = 'NotPermitted';
+ foreach my $bug_id (@ids) {
+ next unless $bug_id;
+ my $bug = new Bugzilla::Bug($bug_id);
+ if (!$bug->{error} && $user->can_see_bug($bug->bug_id)) {
+ push(@bugs, $bug);
+ }
+ else {
+ push(@illegal_bugs, { bug_id => trim($bug_id),
+ error => $bug->{error} || 'NotPermitted' });
}
- push(@bugs, $bug);
}
}
}
Bugzilla::Bug->preload(\@bugs);
-$vars->{'bugs'} = \@bugs;
+$vars->{'bugs'} = [@bugs, @illegal_bugs];
$vars->{'marks'} = \%marks;
my @bugids = map {$_->bug_id} grep {!$_->error} @bugs;
diff --git a/template/en/default/bug/comments.html.tmpl b/template/en/default/bug/comments.html.tmpl
index 4a433230b..62beb61ea 100644
--- a/template/en/default/bug/comments.html.tmpl
+++ b/template/en/default/bug/comments.html.tmpl
@@ -85,7 +85,8 @@
[% count = count + increment %]
[% END %]
-[% IF user.settings.comment_box_position.value == "before_comments" && user.id %]
+[% IF mode == "edit" && user.id
+ && user.settings.comment_box_position.value == "before_comments" %]
<div class="bz_add_comment">
<a href="#"
onclick="return goto_add_comments();">
diff --git a/template/en/default/global/user-error.html.tmpl b/template/en/default/global/user-error.html.tmpl
index fbb9ca169..8f4d7d21c 100644
--- a/template/en/default/global/user-error.html.tmpl
+++ b/template/en/default/global/user-error.html.tmpl
@@ -77,9 +77,13 @@
[% ELSIF error == "alias_in_use" %]
[% title = "Alias In Use" %]
- [% terms.Bug %] [%+ bug_id FILTER bug_link(bug_id) FILTER none %]
+ [% IF user.can_see_bug(bug_id) %]
+ [% terms.Bug %] [%+ bug_id FILTER bug_link(bug_id) FILTER none %]
+ [% ELSE %]
+ Another [% terms.bug %]
+ [% END %]
has already taken the alias <em>[% alias FILTER html %]</em>.
- Please choose another one.
+ Please choose another alias.
[% ELSIF error == "alias_is_numeric" %]
[% title = "Alias Is Numeric" %]