Bug 243463 Use a param to protect new charts from leaking information

r=justdave a=justdave

Bug 243463 Use a param to protect new charts from leaking information
73fd49ff · bugreport%peshkin.net · 4ab7a75f · 73fd49ff · 73fd49ff · 73fd49ff
Commit 73fd49ff authored Jul 06, 2004 by bugreport%peshkin.net
Show whitespace changes
Inline Side-by-side

Showing with 23 additions and 1 deletion

chart.cgi chart.cgi +4 -0

defparams.pl defparams.pl +11 -0

editproducts.cgi editproducts.cgi +6 -1

menu.html.tmpl template/en/default/reports/menu.html.tmpl +2 -0

No files found.
--- a/chart.cgi
+++ b/chart.cgi
@@ -84,6 +84,10 @@ if ($action eq "search") {

 Bugzilla->login(LOGIN_REQUIRED);

+UserInGroup(Param("chartgroup")) 
+    || ThrowUserError("authorization_failure", 
+                     {action => "use this feature"});
+
 # Only admins may create public queries
 UserInGroup('admin') || $cgi->delete('public');


--- a/defparams.pl
+++ b/defparams.pl
@@ -1035,6 +1035,17 @@ Reason: %reason%
  },

  {
+   name => 'chartgroup',
+   desc => 'The name of the group of users who can use the "New Charts" ' .
+           'feature. Administrators should ensure that the public categories ' .
+           'and series definitions do not divulge unwanted information ' .
+           'before enabling this for an untrusted population. If left blank, ' .
+           'no users will be able to use New Charts.',
+   type => 't',
+   default => ''
+  },
+  
+  {
   name => 'insidergroup',
   desc => 'The name of the group of users who can see/change private ' .
           'comments and attachments.',

--- a/editproducts.cgi
+++ b/editproducts.cgi
@@ -271,6 +271,10 @@ if ($action eq 'add') {
    print "</TR><TR>\n";
    print "  <TH ALIGN=\"right\">Version:</TH>\n";
    print "  <TD><INPUT SIZE=64 MAXLENGTH=255 NAME=\"version\" VALUE=\"unspecified\"></TD>\n";
+    print "</TR><TR>\n";
+    print "  <TH ALIGN=\"right\">Create chart datasets for this product:</TH>\n";
+    print "  <TD><INPUT TYPE=CHECKBOX NAME=\"createseries\" VALUE=1></TD>";
+    print "</TR>\n";

    print "</TABLE>\n<HR>\n";
    print "<INPUT TYPE=SUBMIT VALUE=\"Add\">\n";
@@ -389,6 +393,7 @@ if ($action eq 'new') {
                CONTROLMAPNA . ", 0)");
    }

+    if ($::FORM{createseries}) {
        # Insert default charting queries for this product.
        # If they aren't using charting, this won't do any harm.
        GetVersionTable();
@@ -418,7 +423,7 @@ if ($action eq 'new') {
                                              $sdata->[1] . "&product=$product", 1);
            $series->writeToDatabase();
        }
-
+    }
    # Make versioncache flush
    unlink "$datadir/versioncache";


--- a/template/en/default/reports/menu.html.tmpl
+++ b/template/en/default/reports/menu.html.tmpl
@@ -64,10 +64,12 @@
    plot the status and/or resolution of [% terms.bugs %] against
    time, for each product in your database.
  </li>
+  [% IF UserInGroup(Param("chartgroup")) %]
    <li>
      <strong><a href="chart.cgi">New Charts</a></strong> - 
      plot any arbitrary search against time. Far more powerful.
    </li>
+  [% END %]
 </ul>

 [% PROCESS global/footer.html.tmpl %]