From e15776a6d748b615a60596f5f065db0a380550cb Mon Sep 17 00:00:00 2001
From: "lpsolit%gmail.com" <>
Date: Sun, 11 Mar 2007 16:55:21 +0000
Subject: Bug 354868: Race condition when changing user privs in editusers.cgi
 - Patch by Frédéric Buclin <LpSolit@gmail.com> r=wicked a=LpSolit
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 editusers.cgi | 21 ++++++++++++---------
 1 file changed, 12 insertions(+), 9 deletions(-)

(limited to 'editusers.cgi')

diff --git a/editusers.cgi b/editusers.cgi
index b4e3f698e..076a2de98 100755
--- a/editusers.cgi
+++ b/editusers.cgi
@@ -235,7 +235,10 @@ if ($action eq 'search') {
                          'groups READ',
                          'user_group_map WRITE',
                          'group_group_map READ',
-                         'group_group_map AS ggm READ');
+                         'group_group_map AS ggm READ',
+                         'user_group_map AS directmember READ',
+                         'user_group_map AS regexpmember READ',
+                         'user_group_map AS directbless READ');
  
     $editusers || $user->can_see_user($otherUser)
         || ThrowUserError('auth_failure', {reason => "not_visible",
@@ -282,15 +285,16 @@ if ($action eq 'search') {
     # silently.
     # XXX: checking for existence of each user_group_map entry
     #      would allow to display a friendlier error message on page reloads.
+    userDataToVars($otherUserID);
+    my $permissions = $vars->{'permissions'};
     foreach (@{$user->bless_groups()}) {
         my $id = $$_{'id'};
         my $name = $$_{'name'};
 
         # Change memberships.
-        my $oldgroupid = $cgi->param("oldgroup_$id") || '0';
-        my $groupid    = $cgi->param("group_$id")    || '0';
-        if ($groupid ne $oldgroupid) {
-            if ($groupid eq '0') {
+        my $groupid = $cgi->param("group_$id") || 0;
+        if ($groupid != $permissions->{$id}->{'directmember'}) {
+            if (!$groupid) {
                 $sth_remove_mapping->execute(
                     $otherUserID, $id, 0, GRANT_DIRECT);
                 push(@groupsRemovedFrom, $name);
@@ -304,10 +308,9 @@ if ($action eq 'search') {
         # Only members of the editusers group may change bless grants.
         # Skip silently if this is not the case.
         if ($editusers) {
-            my $oldgroupid = $cgi->param("oldbless_$id") || '0';
-            my $groupid    = $cgi->param("bless_$id")    || '0';
-            if ($groupid ne $oldgroupid) {
-                if ($groupid eq '0') {
+            my $groupid = $cgi->param("bless_$id") || 0;
+            if ($groupid != $permissions->{$id}->{'directbless'}) {
+                if (!$groupid) {
                     $sth_remove_mapping->execute(
                         $otherUserID, $id, 1, GRANT_DIRECT);
                     push(@groupsDeniedRightsToBless, $name);
-- 
cgit v1.2.3-24-g4f1b