Skip to content

bugzilla
bugzilla
Commit 73fd49ff authored by bugreport%peshkin.net's avatar bugreport%peshkin.net
Browse files
Options

Bug 243463 Use a param to protect new charts from leaking information

r=justdave a=justdave
parent 4ab7a75f
Show whitespace changes
Inline Side-by-side
Showing with 23 additions and 1 deletion
chart.cgi
View file @ 73fd49ff
...@@ -84,6 +84,10 @@ if ($action eq "search") { ...@@ -84,6 +84,10 @@ if ($action eq "search") {
Bugzilla->login(LOGIN_REQUIRED); Bugzilla->login(LOGIN_REQUIRED);
UserInGroup(Param("chartgroup"))
|| ThrowUserError("authorization_failure",
{action => "use this feature"});
# Only admins may create public queries # Only admins may create public queries
UserInGroup('admin') || $cgi->delete('public'); UserInGroup('admin') || $cgi->delete('public');
......
defparams.pl
View file @ 73fd49ff
...@@ -1035,6 +1035,17 @@ Reason: %reason% ...@@ -1035,6 +1035,17 @@ Reason: %reason%
}, },
{ {
name => 'chartgroup',
desc => 'The name of the group of users who can use the "New Charts" ' .
'feature. Administrators should ensure that the public categories ' .
'and series definitions do not divulge unwanted information ' .
'before enabling this for an untrusted population. If left blank, ' .
'no users will be able to use New Charts.',
type => 't',
default => ''
},
{
name => 'insidergroup', name => 'insidergroup',
desc => 'The name of the group of users who can see/change private ' . desc => 'The name of the group of users who can see/change private ' .
'comments and attachments.', 'comments and attachments.',
......
editproducts.cgi
View file @ 73fd49ff
...@@ -271,6 +271,10 @@ if ($action eq 'add') { ...@@ -271,6 +271,10 @@ if ($action eq 'add') {
print "</TR><TR>\n"; print "</TR><TR>\n";
print " <TH ALIGN=\"right\">Version:</TH>\n"; print " <TH ALIGN=\"right\">Version:</TH>\n";
print " <TD><INPUT SIZE=64 MAXLENGTH=255 NAME=\"version\" VALUE=\"unspecified\"></TD>\n"; print " <TD><INPUT SIZE=64 MAXLENGTH=255 NAME=\"version\" VALUE=\"unspecified\"></TD>\n";
print "</TR><TR>\n";
print " <TH ALIGN=\"right\">Create chart datasets for this product:</TH>\n";
print " <TD><INPUT TYPE=CHECKBOX NAME=\"createseries\" VALUE=1></TD>";
print "</TR>\n";
print "</TABLE>\n<HR>\n"; print "</TABLE>\n<HR>\n";
print "<INPUT TYPE=SUBMIT VALUE=\"Add\">\n"; print "<INPUT TYPE=SUBMIT VALUE=\"Add\">\n";
...@@ -389,6 +393,7 @@ if ($action eq 'new') { ...@@ -389,6 +393,7 @@ if ($action eq 'new') {
CONTROLMAPNA . ", 0)"); CONTROLMAPNA . ", 0)");
} }
if ($::FORM{createseries}) {
# Insert default charting queries for this product. # Insert default charting queries for this product.
# If they aren't using charting, this won't do any harm. # If they aren't using charting, this won't do any harm.
GetVersionTable(); GetVersionTable();
...@@ -418,7 +423,7 @@ if ($action eq 'new') { ...@@ -418,7 +423,7 @@ if ($action eq 'new') {
$sdata->[1] . "&product=$product", 1); $sdata->[1] . "&product=$product", 1);
$series->writeToDatabase(); $series->writeToDatabase();
} }
}
# Make versioncache flush # Make versioncache flush
unlink "$datadir/versioncache"; unlink "$datadir/versioncache";
......
template/en/default/reports/menu.html.tmpl
View file @ 73fd49ff
...@@ -64,10 +64,12 @@ ...@@ -64,10 +64,12 @@
plot the status and/or resolution of [% terms.bugs %] against plot the status and/or resolution of [% terms.bugs %] against
time, for each product in your database. time, for each product in your database.
</li> </li>
[% IF UserInGroup(Param("chartgroup")) %]
<li> <li>
<strong><a href="chart.cgi">New Charts</a></strong> - <strong><a href="chart.cgi">New Charts</a></strong> -
plot any arbitrary search against time. Far more powerful. plot any arbitrary search against time. Far more powerful.
</li> </li>
[% END %]
</ul> </ul>
[% PROCESS global/footer.html.tmpl %] [% PROCESS global/footer.html.tmpl %]
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment