From f47c0339e2c258c878e6284970d917dcd3960cba Mon Sep 17 00:00:00 2001 From: "terry%mozilla.org" <> Date: Thu, 27 May 1999 22:17:25 +0000 Subject: Patched minor security hole; don't show summary of bugs that the user doesn't have permission to see. --- showdependencygraph.cgi | 6 +++++- showdependencytree.cgi | 8 +++++++- 2 files changed, 12 insertions(+), 2 deletions(-) diff --git a/showdependencygraph.cgi b/showdependencygraph.cgi index 6ead9f84d..7e06ffc62 100755 --- a/showdependencygraph.cgi +++ b/showdependencygraph.cgi @@ -47,6 +47,8 @@ PutHeader("Dependency graph", "Dependency graph", $id); if (defined $id) { ConnectToDatabase(); + quietly_check_login(); + $::usergroupset = $::usergroupset; # More warning suppression silliness. mkdir("data/webdot", 0777); @@ -99,8 +101,10 @@ node [URL="${urlbase}show_bug.cgi?id=\\N", style=filled, color=lightgrey] my $summary = ""; my $stat; if ($::FORM{'showsummary'}) { - SendSQL("select bug_status, short_desc from bugs where bug_id = $k"); + SendSQL("select bug_status, short_desc from bugs where bug_id = $k and bugs.groupset & $::usergroupset = bugs.groupset"); ($stat, $summary) = (FetchSQLData()); + $stat = "NEW" if !defined $stat; + $summary = "" if !defined $summary; } else { SendSQL("select bug_status from bugs where bug_id = $k"); $stat = FetchOneColumn(); diff --git a/showdependencytree.cgi b/showdependencytree.cgi index 92964648f..f457d67a3 100755 --- a/showdependencytree.cgi +++ b/showdependencytree.cgi @@ -37,6 +37,10 @@ PutHeader("Dependency tree", "Dependency tree", "Bug $linkedid"); ConnectToDatabase(); +quietly_check_login(); + +$::usergroupset = $::usergroupset; # More warning suppression silliness. + my %seen; sub DumpKids { @@ -53,8 +57,10 @@ sub DumpKids { if (@list) { print "