Bug 141593 You can add/remove dependencies on bugs you can't see

Patch by Joel Peshkin <bugreport@peshkin.net> r=lpsolit, a=justdave

Bug 141593 You can add/remove dependencies on bugs you can't see
89222752 · bugreport%peshkin.net · 6372dbd5 · 89222752 · 89222752 · 89222752
Commit 89222752 authored Oct 19, 2005 by bugreport%peshkin.net
Hide whitespace changes
Inline Side-by-side

Showing with 33 additions and 8 deletions

post_bug.cgi post_bug.cgi +3 -1

process_bug.cgi process_bug.cgi +23 -5

user-error.html.tmpl template/en/default/global/user-error.html.tmpl +7 -2

No files found.
--- a/post_bug.cgi
+++ b/post_bug.cgi
@@ -261,7 +261,9 @@ foreach my $field ("dependson", "blocked") {
        my @validvalues;
        foreach my $id (split(/[\s,]+/, $cgi->param($field))) {
            next unless $id;
-            ValidateBugID($id, $field);
+            # $field is not passed to ValidateBugID to prevent adding new 
+            # dependencies on inacessible bugs.
+            ValidateBugID($id);
            push(@validvalues, $id);
        }
        $cgi->param(-name => $field, -value => join(",", @validvalues));

--- a/process_bug.cgi
+++ b/process_bug.cgi
@@ -43,6 +43,7 @@ use strict;
 my $UserInEditGroupSet = -1;
 my $UserInCanConfirmGroupSet = -1;
 my $PrivilegesRequired = 0;
+my $lastbugid = 0;
 use lib qw(.);
@@ -144,14 +145,32 @@ ValidateComment(scalar $cgi->param('comment'));
 # is a bug alias that gets converted to its corresponding bug ID
 # during validation.
 foreach my $field ("dependson", "blocked") {
-    if ($cgi->param($field)) {
+    if ($cgi->param('id')) {
-        my @validvalues;
+        my $bug = new Bugzilla::Bug($cgi->param('id'), $user->id);
+        my @old = @{$bug->$field};
+        my @new;
        foreach my $id (split(/[\s,]+/, $cgi->param($field))) {
            next unless $id;
            ValidateBugID($id, $field);
-            push(@validvalues, $id);
+            push @new, $id;
+        }
+        $cgi->param($field, join(",", @new));
+        my ($added, $removed) = Bugzilla::Util::diff_arrays(\@old, \@new);
+        foreach my $id (@$added , @$removed) {
+            # ValidateBugID is called without $field here so that it will
+            # throw an error if any of the changed bugs are not visible.
+            ValidateBugID($id);
+            if (!CheckCanChangeField($field, $bug->bug_id, 0, 1)) {
+                $vars->{'privs'} = $PrivilegesRequired;
+                $vars->{'field'} = $field;
+                ThrowUserError("illegal_change", $vars);
+            }
        }
-        $cgi->param($field, join(",", @validvalues));
+    } else {
+        # Bugzilla does not support mass-change of dependencies so they
+        # are not validated.  To prevent a URL-hacking risk, the dependencies
+        # are deleted for mass-changes.
+        $cgi->delete($field);
    }
 }
@@ -353,7 +372,6 @@ if (((defined $cgi->param('id') && $cgi->param('product') ne $oldproduct)
 # now, the rules are pretty simple, and don't look at the field itself very
 # much, but that could be enhanced.
-my $lastbugid = 0;
 my $ownerid;
 my $reporterid;
 my $qacontactid;

--- a/template/en/default/global/user-error.html.tmpl
+++ b/template/en/default/global/user-error.html.tmpl
@@ -524,8 +524,13 @@
    [% title = "Not allowed" %]
    You tried to change the 
    <strong>[% field_descs.$field FILTER html %]</strong> field 
-    from <em>[% oldvalue FILTER html %]</em> to 
+    [% IF oldvalue %]
-    <em>[% newvalue FILTER html %]</em>, but only
+      from <em>[% oldvalue FILTER html %]</em>
+    [% END %]
+    [% IF newvalue %]
+      to <em>[% newvalue FILTER html %]</em>
+    [% END %]
+    , but only
    [% IF privs < 3 %]
      the assignee
      [% IF privs < 2 %] or reporter [% END %]