diff options
Diffstat (limited to 'Bugzilla')
-rw-r--r-- | Bugzilla/Bug.pm | 10 | ||||
-rw-r--r-- | Bugzilla/DB/Mysql.pm | 2 | ||||
-rw-r--r-- | Bugzilla/DB/Schema.pm | 5 | ||||
-rw-r--r-- | Bugzilla/Group.pm | 4 | ||||
-rw-r--r-- | Bugzilla/Search.pm | 16 |
5 files changed, 28 insertions, 9 deletions
diff --git a/Bugzilla/Bug.pm b/Bugzilla/Bug.pm index dcf85d206..68ba98549 100644 --- a/Bugzilla/Bug.pm +++ b/Bugzilla/Bug.pm @@ -2891,7 +2891,8 @@ sub add_see_also { # ref bug id for sending changes email. my $ref_bug = delete $field_values->{ref_bug}; if ($class->isa('Bugzilla::BugUrl::Bugzilla::Local') - and !$skip_recursion) + and !$skip_recursion + and $ref_bug->check_can_change_field('see_also', '', $self->id, \$privs)) { $ref_bug->add_see_also($self->id, 'skip_recursion'); push @{ $self->{_update_ref_bugs} }, $ref_bug; @@ -2923,12 +2924,15 @@ sub remove_see_also { # we need to notify changes for that bug too. $removed_bug_url = $removed_bug_url->[0]; if (!$skip_recursion and $removed_bug_url - and $removed_bug_url->isa('Bugzilla::BugUrl::Bugzilla::Local')) + and $removed_bug_url->isa('Bugzilla::BugUrl::Bugzilla::Local') + and $removed_bug_url->ref_bug_url) { my $ref_bug = Bugzilla::Bug->check($removed_bug_url->ref_bug_url->bug_id); - if (Bugzilla->user->can_edit_product($ref_bug->product_id)) { + if (Bugzilla->user->can_edit_product($ref_bug->product_id) + and $ref_bug->check_can_change_field('see_also', $self->id, '', \$privs)) + { my $self_url = $removed_bug_url->local_uri($self->id); $ref_bug->remove_see_also($self_url, 'skip_recursion'); push @{ $self->{_update_ref_bugs} }, $ref_bug; diff --git a/Bugzilla/DB/Mysql.pm b/Bugzilla/DB/Mysql.pm index 06bf3d8df..fad175eac 100644 --- a/Bugzilla/DB/Mysql.pm +++ b/Bugzilla/DB/Mysql.pm @@ -941,7 +941,9 @@ sub _bz_raw_column_info { $index = name of an index Returns: An abstract index definition, always in hashref format. If the index does not exist, the function returns undef. + =cut + sub bz_index_info_real { my ($self, $table, $index) = @_; diff --git a/Bugzilla/DB/Schema.pm b/Bugzilla/DB/Schema.pm index 6dd78d206..23e484464 100644 --- a/Bugzilla/DB/Schema.pm +++ b/Bugzilla/DB/Schema.pm @@ -1864,6 +1864,7 @@ C<ALTER TABLE> SQL statement sub get_fk_ddl { + =item C<_get_fk_ddl> =over @@ -1877,7 +1878,9 @@ Protected method. Translates the C<REFERENCES> item of a column into SQL. =over =item C<$table> - The name of the table the reference is from. + =item C<$column> - The name of the column the reference is from + =item C<$references> - The C<REFERENCES> hashref from a column. =back @@ -1978,6 +1981,7 @@ Converts a TYPE from the L</ABSTRACT_SCHEMA> format into the real SQL type. } sub get_column { + =item C<get_column($table, $column)> Description: Public method to get the abstract definition of a column. @@ -2843,6 +2847,7 @@ sub serialize_abstract { in the same fashion as) the current version of Schema. However, it will represent the serialized data instead of ABSTRACT_SCHEMA. + =cut sub deserialize_abstract { diff --git a/Bugzilla/Group.pm b/Bugzilla/Group.pm index 3f521d0f2..109f06d7f 100644 --- a/Bugzilla/Group.pm +++ b/Bugzilla/Group.pm @@ -190,7 +190,9 @@ sub check_members_are_visible { my $self = shift; my $user = Bugzilla->user; return if !Bugzilla->params->{'usevisibilitygroups'}; - my $is_visible = grep { $_->id == $_ } @{ $user->visible_groups_inherited }; + + my $group_id = $self->id; + my $is_visible = grep { $_ == $group_id } @{ $user->visible_groups_inherited }; if (!$is_visible) { ThrowUserError('group_not_visible', { group => $self }); } diff --git a/Bugzilla/Search.pm b/Bugzilla/Search.pm index a4db2e05d..c7c5038be 100644 --- a/Bugzilla/Search.pm +++ b/Bugzilla/Search.pm @@ -2050,8 +2050,8 @@ sub _contact_pronoun { my ($self, $args) = @_; my $value = $args->{value}; my $user = $self->_user; - - if ($value =~ /^\%group/) { + + if ($value =~ /^\%group\.[^%]+%$/) { $self->_contact_exact_group($args); } elsif ($value =~ /^(%\w+%)$/) { @@ -2068,11 +2068,17 @@ sub _contact_exact_group { my $dbh = Bugzilla->dbh; my $user = $self->_user; + # We already know $value will match this regexp, else we wouldn't be here. $value =~ /\%group\.([^%]+)%/; - my $group = Bugzilla::Group->check({ name => $1, _error => 'invalid_group_name' }); - $group->check_members_are_visible(); + my $group_name = $1; + my $group = Bugzilla::Group->check({ name => $group_name, _error => 'invalid_group_name' }); + # Pass $group_name instead of $group->name to the error message + # to not leak the existence of the group. $user->in_group($group) - || ThrowUserError('invalid_group_name', {name => $group->name}); + || ThrowUserError('invalid_group_name', { name => $group_name }); + # Now that we know the user belongs to this group, it's safe + # to disclose more information. + $group->check_members_are_visible(); my $group_ids = Bugzilla::Group->flatten_group_membership($group->id); my $table = "user_group_map_$chart_id"; |