From 73fd49ff3bbff6244802ba548bb22c2be39014e1 Mon Sep 17 00:00:00 2001
From: "bugreport%peshkin.net" <>
Date: Tue, 6 Jul 2004 08:12:29 +0000
Subject: Bug 243463 Use a param to protect new charts from leaking information
r=justdave a=justdave
---
chart.cgi | 4 ++
defparams.pl | 11 ++++++
editproducts.cgi | 59 ++++++++++++++++--------------
template/en/default/reports/menu.html.tmpl | 10 +++--
4 files changed, 53 insertions(+), 31 deletions(-)
diff --git a/chart.cgi b/chart.cgi
index 229e9bbf7..b6f7f746b 100755
--- a/chart.cgi
+++ b/chart.cgi
@@ -84,6 +84,10 @@ if ($action eq "search") {
Bugzilla->login(LOGIN_REQUIRED);
+UserInGroup(Param("chartgroup"))
+ || ThrowUserError("authorization_failure",
+ {action => "use this feature"});
+
# Only admins may create public queries
UserInGroup('admin') || $cgi->delete('public');
diff --git a/defparams.pl b/defparams.pl
index 849c033ea..6861d0447 100644
--- a/defparams.pl
+++ b/defparams.pl
@@ -1034,6 +1034,17 @@ Reason: %reason%
checker => \&check_numeric
},
+ {
+ name => 'chartgroup',
+ desc => 'The name of the group of users who can use the "New Charts" ' .
+ 'feature. Administrators should ensure that the public categories ' .
+ 'and series definitions do not divulge unwanted information ' .
+ 'before enabling this for an untrusted population. If left blank, ' .
+ 'no users will be able to use New Charts.',
+ type => 't',
+ default => ''
+ },
+
{
name => 'insidergroup',
desc => 'The name of the group of users who can see/change private ' .
diff --git a/editproducts.cgi b/editproducts.cgi
index 8cf9a309d..6d33c8080 100755
--- a/editproducts.cgi
+++ b/editproducts.cgi
@@ -271,6 +271,10 @@ if ($action eq 'add') {
print "
\n";
print "
Version:
\n";
print "
\n";
+ print "
\n";
+ print "
Create chart datasets for this product:
\n";
+ print "
";
+ print "
\n";
print "\n\n";
print "\n";
@@ -389,36 +393,37 @@ if ($action eq 'new') {
CONTROLMAPNA . ", 0)");
}
- # Insert default charting queries for this product.
- # If they aren't using charting, this won't do any harm.
- GetVersionTable();
-
- my @series;
-
- # We do every status, every resolution, and an "opened" one as well.
- foreach my $bug_status (@::legal_bug_status) {
- push(@series, [$bug_status, "bug_status=$bug_status"]);
- }
+ if ($::FORM{createseries}) {
+ # Insert default charting queries for this product.
+ # If they aren't using charting, this won't do any harm.
+ GetVersionTable();
+
+ my @series;
+
+ # We do every status, every resolution, and an "opened" one as well.
+ foreach my $bug_status (@::legal_bug_status) {
+ push(@series, [$bug_status, "bug_status=$bug_status"]);
+ }
- foreach my $resolution (@::legal_resolution) {
- next if !$resolution;
- push(@series, [$resolution, "resolution=$resolution"]);
- }
+ foreach my $resolution (@::legal_resolution) {
+ next if !$resolution;
+ push(@series, [$resolution, "resolution=$resolution"]);
+ }
- # For localisation reasons, we get the name of the "global" subcategory
- # and the title of the "open" query from the submitted form.
- my @openedstatuses = ("UNCONFIRMED", "NEW", "ASSIGNED", "REOPENED");
- my $query = join("&", map { "bug_status=$_" } @openedstatuses);
- push(@series, [$::FORM{'open_name'}, $query]);
-
- foreach my $sdata (@series) {
- my $series = new Bugzilla::Series(undef, $product,
- $::FORM{'subcategory'},
- $sdata->[0], $::userid, 1,
- $sdata->[1] . "&product=$product", 1);
- $series->writeToDatabase();
+ # For localisation reasons, we get the name of the "global" subcategory
+ # and the title of the "open" query from the submitted form.
+ my @openedstatuses = ("UNCONFIRMED", "NEW", "ASSIGNED", "REOPENED");
+ my $query = join("&", map { "bug_status=$_" } @openedstatuses);
+ push(@series, [$::FORM{'open_name'}, $query]);
+
+ foreach my $sdata (@series) {
+ my $series = new Bugzilla::Series(undef, $product,
+ $::FORM{'subcategory'},
+ $sdata->[0], $::userid, 1,
+ $sdata->[1] . "&product=$product", 1);
+ $series->writeToDatabase();
+ }
}
-
# Make versioncache flush
unlink "$datadir/versioncache";
diff --git a/template/en/default/reports/menu.html.tmpl b/template/en/default/reports/menu.html.tmpl
index 7481790fd..5ac1516d5 100644
--- a/template/en/default/reports/menu.html.tmpl
+++ b/template/en/default/reports/menu.html.tmpl
@@ -64,10 +64,12 @@
plot the status and/or resolution of [% terms.bugs %] against
time, for each product in your database.
-
- New Charts -
- plot any arbitrary search against time. Far more powerful.
-
+ [% IF UserInGroup(Param("chartgroup")) %]
+
+ New Charts -
+ plot any arbitrary search against time. Far more powerful.
+
+ [% END %]
[% PROCESS global/footer.html.tmpl %]
--
cgit v1.2.3-24-g4f1b