From e15776a6d748b615a60596f5f065db0a380550cb Mon Sep 17 00:00:00 2001 From: "lpsolit%gmail.com" <> Date: Sun, 11 Mar 2007 16:55:21 +0000 Subject: Bug 354868: Race condition when changing user privs in editusers.cgi - Patch by Frédéric Buclin r=wicked a=LpSolit MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- editusers.cgi | 21 ++++++++++++--------- 1 file changed, 12 insertions(+), 9 deletions(-) (limited to 'editusers.cgi') diff --git a/editusers.cgi b/editusers.cgi index b4e3f698e..076a2de98 100755 --- a/editusers.cgi +++ b/editusers.cgi @@ -235,7 +235,10 @@ if ($action eq 'search') { 'groups READ', 'user_group_map WRITE', 'group_group_map READ', - 'group_group_map AS ggm READ'); + 'group_group_map AS ggm READ', + 'user_group_map AS directmember READ', + 'user_group_map AS regexpmember READ', + 'user_group_map AS directbless READ'); $editusers || $user->can_see_user($otherUser) || ThrowUserError('auth_failure', {reason => "not_visible", @@ -282,15 +285,16 @@ if ($action eq 'search') { # silently. # XXX: checking for existence of each user_group_map entry # would allow to display a friendlier error message on page reloads. + userDataToVars($otherUserID); + my $permissions = $vars->{'permissions'}; foreach (@{$user->bless_groups()}) { my $id = $$_{'id'}; my $name = $$_{'name'}; # Change memberships. - my $oldgroupid = $cgi->param("oldgroup_$id") || '0'; - my $groupid = $cgi->param("group_$id") || '0'; - if ($groupid ne $oldgroupid) { - if ($groupid eq '0') { + my $groupid = $cgi->param("group_$id") || 0; + if ($groupid != $permissions->{$id}->{'directmember'}) { + if (!$groupid) { $sth_remove_mapping->execute( $otherUserID, $id, 0, GRANT_DIRECT); push(@groupsRemovedFrom, $name); @@ -304,10 +308,9 @@ if ($action eq 'search') { # Only members of the editusers group may change bless grants. # Skip silently if this is not the case. if ($editusers) { - my $oldgroupid = $cgi->param("oldbless_$id") || '0'; - my $groupid = $cgi->param("bless_$id") || '0'; - if ($groupid ne $oldgroupid) { - if ($groupid eq '0') { + my $groupid = $cgi->param("bless_$id") || 0; + if ($groupid != $permissions->{$id}->{'directbless'}) { + if (!$groupid) { $sth_remove_mapping->execute( $otherUserID, $id, 1, GRANT_DIRECT); push(@groupsDeniedRightsToBless, $name); -- cgit v1.2.3-24-g4f1b