diff options
Diffstat (limited to 'Bugzilla/WebService')
| -rw-r--r-- | Bugzilla/WebService/Product.pm | 46 | ||||
| -rw-r--r-- | Bugzilla/WebService/Server/JSONRPC.pm | 14 |
2 files changed, 42 insertions, 18 deletions
diff --git a/Bugzilla/WebService/Product.pm b/Bugzilla/WebService/Product.pm index 3414be4fd..3cd0d0a6c 100644 --- a/Bugzilla/WebService/Product.pm +++ b/Bugzilla/WebService/Product.pm @@ -34,6 +34,11 @@ use constant READ_ONLY => qw( get_selectable_products ); +use constant FIELD_MAP => { + has_unconfirmed => 'allows_unconfirmed', + is_open => 'isactive', +}; + ################################################## # Add aliases here for method name compatibility # ################################################## @@ -105,16 +110,22 @@ sub create { action => "add", object => "products"}); # Create product - my $product = Bugzilla::Product->create({ - allows_unconfirmed => $params->{has_unconfirmed}, - classification => $params->{classification}, - name => $params->{name}, - description => $params->{description}, - version => $params->{version}, - defaultmilestone => $params->{default_milestone}, - isactive => $params->{is_open}, - create_series => $params->{create_series} - }); + my $args = { + name => $params->{name}, + description => $params->{description}, + version => $params->{version}, + defaultmilestone => $params->{default_milestone}, + # create_series has no default value. + create_series => defined $params->{create_series} ? + $params->{create_series} : 1 + }; + foreach my $field (qw(has_unconfirmed is_open classification)) { + if (defined $params->{$field}) { + my $name = FIELD_MAP->{$field} || $field; + $args->{$name} = $params->{$field}; + } + } + my $product = Bugzilla::Product->create($args); return { id => $self->type('int', $product->id) }; } @@ -460,6 +471,7 @@ B<Required> C<string> The default version for this product. =item C<has_unconfirmed> C<boolean> Allow the UNCONFIRMED status to be set on bugs in this product. +Default: true. =item C<classification> @@ -467,17 +479,17 @@ C<string> The name of the Classification which contains this product. =item C<default_milestone> -C<string> The default milestone for this product. +C<string> The default milestone for this product. Default: '---'. =item C<is_open> C<boolean> True if the product is currently allowing bugs to be entered -into it. +into it. Default: true. =item C<create_series> C<boolean> True if you want series for New Charts to be created for this -new product. +new product. Default: true. =back @@ -489,6 +501,10 @@ A hash with one element, id. This is the id of the newly-filed product. =over +=item 51 (Classification does not exist) + +You must specify an existing classification name. + =item 700 (Product blank name) You must specify a non-blank name for this product. @@ -511,10 +527,6 @@ You must specify a description for this product. You must specify a version for this product. -=item 705 (Product must define a defaut milestone) - -You must define a default milestone. - =back =back diff --git a/Bugzilla/WebService/Server/JSONRPC.pm b/Bugzilla/WebService/Server/JSONRPC.pm index 3b232aafa..cec1c29ea 100644 --- a/Bugzilla/WebService/Server/JSONRPC.pm +++ b/Bugzilla/WebService/Server/JSONRPC.pm @@ -365,7 +365,19 @@ sub _argument_type_check { Bugzilla->input_params($params); - if ($self->request->method ne 'POST') { + if ($self->request->method eq 'POST') { + # CSRF is possible via XMLHttpRequest when the Content-Type header + # is not application/json (for example: text/plain or + # application/x-www-form-urlencoded). + # application/json is the single official MIME type, per RFC 4627. + my $content_type = $self->cgi->content_type; + # The charset can be appended to the content type, so we use a regexp. + if ($content_type !~ m{^application/json(-rpc)?(;.*)?$}i) { + ThrowUserError('json_rpc_illegal_content_type', + { content_type => $content_type }); + } + } + else { # When being called using GET, we don't allow calling # methods that can change data. This protects us against cross-site # request forgeries. |