From 2b3d59beabaa45698effb6f72ccb5ee8201df044 Mon Sep 17 00:00:00 2001 From: Frédéric Buclin Date: Thu, 8 Dec 2011 23:44:35 +0100 Subject: Bug 707170: Several features about custom fields are missing in the documentation r=dkl a=LpSolit --- docs/en/xml/administration.xml | 57 ++++++++++++++++++++++++++++++++++++------ 1 file changed, 50 insertions(+), 7 deletions(-) diff --git a/docs/en/xml/administration.xml b/docs/en/xml/administration.xml index cabb772d2..1630e2e45 100644 --- a/docs/en/xml/administration.xml +++ b/docs/en/xml/administration.xml @@ -2406,6 +2406,16 @@ ReadOnly: ENTRY, NA/NA, CANEDIT + + + Reverse Relationship Description: + When the custom field is of type Bug ID, you can + enter text here which will be used as label in the referenced + bug to list bugs which point to it. This gives you the ability + to have a mutual relationship between two bugs. + + + Can be set on bug creation: @@ -2442,6 +2452,35 @@ ReadOnly: ENTRY, NA/NA, CANEDIT must be entered. + + + + Field only appears when: + A custom field can be made visible when some criteria is met. + For instance, when the bug belongs to one or more products, + or when the bug is of some given severity. If left empty, then + the custom field will always be visible, in all bugs. + + + + + + Field that controls the values that appear in this field: + When the custom field is of type Drop Down or + Multiple-Selection Box, you can restrict the + availability of the values of the custom field based on the + value of another field. This criteria is independent of the + criteria used in the Field only appears when + setting. For instance, you may decide that some given value + valueY is only available when the bug status + is RESOLVED while the value valueX should + always be listed. + Once you have selected the field which should control the + availability of the values of this custom field, you can + edit values of this custom field to set the criteria, see + . + + @@ -2476,13 +2515,12 @@ ReadOnly: ENTRY, NA/NA, CANEDIT Legal Values - Since Bugzilla 2.20 RC1, legal values for Operating Systems, platforms, - bug priorities and severities can be edited from the User Interface - directly. This means that it is no longer required to manually edit - localconfig. Starting with Bugzilla 2.23.3, - the list of valid resolutions can be customized from the same interface. - Since Bugzilla 3.1.1 the list of valid bug statuses can be customized - as well. + Legal values for the operating system, platform, bug priority and + severity, custom fields of type Drop Down and + Multiple-Selection Box (see ), + as well as the list of valid bug statuses and resolutions can be + customized from the same interface. You can add, edit, disable and + remove values which can be used with these fields.
@@ -2498,6 +2536,11 @@ ReadOnly: ENTRY, NA/NA, CANEDIT must be unique to that field. The sortkey is important to display these values in the desired order. + + When the availability of the values of a custom field is controlled + by another field, you can select from here which value of the other field + must be set for the value of the custom field to appear. +
-- cgit v1.2.3-24-g4f1b From 0133e0b65b1d73d87604b9f94b92c712206137e3 Mon Sep 17 00:00:00 2001 From: Frédéric Buclin Date: Fri, 9 Dec 2011 00:19:07 +0100 Subject: Bug 644281: When the sort order of a buglist is modified, the "Show next bug in my list" user pref still uses the original sort order to decide which bug to display next r=glob a=LpSolit --- Bugzilla/User.pm | 25 ++++++++++++------------- buglist.cgi | 31 +++++++++++++------------------ 2 files changed, 25 insertions(+), 31 deletions(-) diff --git a/Bugzilla/User.pm b/Bugzilla/User.pm index 849c1d915..8455e64c1 100644 --- a/Bugzilla/User.pm +++ b/Bugzilla/User.pm @@ -516,26 +516,21 @@ sub save_last_search { return if !@$bug_ids; + my $search; if ($self->id) { on_main_db { - my $search; if ($list_id) { - # Use eval so that people can still use old search links or - # links that don't belong to them. - $search = eval { Bugzilla::Search::Recent->check( - { id => $list_id }) }; + $search = Bugzilla::Search::Recent->check_quietly({ id => $list_id }); } if ($search) { - # We only update placeholders. (Placeholders are - # Saved::Search::Recent objects with empty bug lists.) - # Otherwise, we could just keep creating new searches - # for the same refreshed list over and over. - if (!@{ $search->bug_list }) { - $search->set_list_order($order); + if (join(',', @{$search->bug_list}) ne join(',', @$bug_ids)) { $search->set_bug_list($bug_ids); - $search->update(); } + if (!$search->list_order || $order ne $search->list_order) { + $search->set_list_order($order); + } + $search->update(); } else { # If we already have an existing search with a totally @@ -548,11 +543,14 @@ sub save_last_search { user_id => $self->id, bug_list => $list_string }); if (!scalar(@$existing_search)) { - Bugzilla::Search::Recent->create({ + $search = Bugzilla::Search::Recent->create({ user_id => $self->id, bug_list => $bug_ids, list_order => $order }); } + else { + $search = $existing_search->[0]; + } } }; delete $self->{recent_searches}; @@ -574,6 +572,7 @@ sub save_last_search { $vars->{'toolong'} = 1; } } + return $search; } sub settings { diff --git a/buglist.cgi b/buglist.cgi index 85a8ae760..7b513e607 100755 --- a/buglist.cgi +++ b/buglist.cgi @@ -164,14 +164,13 @@ my $params; # If the user is retrieving the last bug list they looked at, hack the buffer # storing the query string so that it looks like a query retrieving those bugs. if (my $last_list = $cgi->param('regetlastlist')) { - my ($bug_ids, $order); + my $bug_ids; # Logged-out users use the old cookie method for storing the last search. if (!$user->id or $last_list eq 'cookie') { - $cgi->cookie('BUGLIST') || ThrowUserError("missing_cookie"); - $order = "reuse last sort" unless $order; - $bug_ids = $cgi->cookie('BUGLIST'); + $bug_ids = $cgi->cookie('BUGLIST') or ThrowUserError("missing_cookie"); $bug_ids =~ s/[:-]/,/g; + $order ||= "reuse last sort"; } # But logged in users store the last X searches in the DB so they can # have multiple bug lists available. @@ -179,10 +178,11 @@ if (my $last_list = $cgi->param('regetlastlist')) { my $last_search = Bugzilla::Search::Recent->check( { id => $last_list }); $bug_ids = join(',', @{ $last_search->bug_list }); - $order = $last_search->list_order if !$order; + $order ||= $last_search->list_order; } # set up the params for this new query $params = new Bugzilla::CGI({ bug_id => $bug_ids, order => $order }); + $params->param('list_id', $last_list); } # Figure out whether or not the user is doing a fulltext search. If not, @@ -972,14 +972,6 @@ if ($format->{'extension'} eq 'ics') { } } -# The list of query fields in URL query string format, used when creating -# URLs to the same query results page with different parameters (such as -# a different sort order or when taking some action on the set of query -# results). To get this string, we call the Bugzilla::CGI::canoncalise_query -# function with a list of elements to be removed from the URL. -$vars->{'urlquerypart'} = $params->canonicalise_query('order', - 'cmdtype', - 'query_based_on'); $vars->{'order'} = $order; $vars->{'caneditbugs'} = 1; $vars->{'time_info'} = $time_info; @@ -1113,17 +1105,20 @@ my $contenttype; my $disposition = "inline"; if ($format->{'extension'} eq "html" && !$agent) { - if (!$cgi->param('regetlastlist')) { - Bugzilla->user->save_last_search( - { bugs => \@bugidlist, order => $order, vars => $vars, - list_id => scalar $cgi->param('list_id') }); - } + my $list_id = $cgi->param('list_id') || $cgi->param('regetlastlist'); + my $search = $user->save_last_search( + { bugs => \@bugidlist, order => $order, vars => $vars, list_id => $list_id }); + $cgi->param('list_id', $search->id) if $search; $contenttype = "text/html"; } else { $contenttype = $format->{'ctype'}; } +# Set 'urlquerypart' once the buglist ID is known. +$vars->{'urlquerypart'} = $params->canonicalise_query('order', 'cmdtype', + 'query_based_on'); + if ($format->{'extension'} eq "csv") { # We set CSV files to be downloaded, as they are designed for importing # into other programs. -- cgit v1.2.3-24-g4f1b From a6aa75fc6f96527f01e8b4f0da414d9fa8ad8ce1 Mon Sep 17 00:00:00 2001 From: Reed Loden Date: Tue, 13 Dec 2011 14:30:07 -0800 Subject: Bug 705474 - CSRF vulnerability in createaccount.cgi allows possible unauthorized account creation e-mail request [r=mkanat a=mkanat] --- Bugzilla/Token.pm | 9 +++++++-- createaccount.cgi | 5 +++++ template/en/default/account/create.html.tmpl | 1 + 3 files changed, 13 insertions(+), 2 deletions(-) diff --git a/Bugzilla/Token.pm b/Bugzilla/Token.pm index 86220aa29..2bb68e721 100644 --- a/Bugzilla/Token.pm +++ b/Bugzilla/Token.pm @@ -176,9 +176,14 @@ sub issue_hash_token { $data ||= []; $time ||= time(); + # For the user ID, use the actual ID if the user is logged in. + # Otherwise, use the remote IP, in case this is for something + # such as creating an account or logging in. + my $user_id = Bugzilla->user->id || remote_ip(); + # The concatenated string is of the form - # token creation time + site-wide secret + user ID + data - my @args = ($time, Bugzilla->localconfig->{'site_wide_secret'}, Bugzilla->user->id, @$data); + # token creation time + site-wide secret + user ID (either ID or remote IP) + data + my @args = ($time, Bugzilla->localconfig->{'site_wide_secret'}, $user_id, @$data); my $token = join('*', @args); # Wide characters cause md5_hex() to die. diff --git a/createaccount.cgi b/createaccount.cgi index db0727add..2348d4e91 100755 --- a/createaccount.cgi +++ b/createaccount.cgi @@ -62,6 +62,11 @@ unless ($createexp) { my $login = $cgi->param('login'); if (defined($login)) { + # Check the hash token to make sure this user actually submitted + # the create account form. + my $token = $cgi->param('token'); + check_hash_token($token, ['create_account']); + $login = Bugzilla::User->check_login_name_for_creation($login); $vars->{'login'} = $login; diff --git a/template/en/default/account/create.html.tmpl b/template/en/default/account/create.html.tmpl index 5b8220193..5acd9f541 100644 --- a/template/en/default/account/create.html.tmpl +++ b/template/en/default/account/create.html.tmpl @@ -73,6 +73,7 @@
+ -- cgit v1.2.3-24-g4f1b