Commit a05220de authored by Dave Lawrence's avatar Dave Lawrence

Bug 779088 - Allow extensions to whitelist PATH_INFO

r/a=LpSolit
parent ecc6dfbc
......@@ -59,14 +59,20 @@ sub new {
# Path-Info is of no use for Bugzilla and interacts badly with IIS.
# Moreover, it causes unexpected behaviors, such as totally breaking
# the rendering of pages. Skip it!
print $self->redirect($self->url(-path => 0, -query => 1)) if $self->path_info;
# the rendering of pages.
my $script = basename($0);
if ($self->path_info) {
my @whitelist;
Bugzilla::Hook::process('path_info_whitelist', { whitelist => \@whitelist });
if (!grep($_ eq $script, @whitelist)) {
print $self->redirect($self->url(-path => 0, -query => 1));
}
}
# Send appropriate charset
$self->charset(Bugzilla->params->{'utf8'} ? 'UTF-8' : '');
# Redirect to urlbase/sslbase if we are not viewing an attachment.
my $script = basename($0);
if ($self->url_is_attachment_base and $script ne 'attachment.cgi') {
$self->redirect_to_urlbase();
}
......
......@@ -1289,6 +1289,22 @@ your template.
=back
=head2 path_info_whitelist
By default, Bugzilla removes the Path-Info information from URLs before
passing data to CGI scripts. If this information is needed for your
customizations, you can enumerate the pages you want to whitelist here.
Params:
=over
=item C<whitelist>
An array of script names that will not have their Path-Info automatically
removed.
=back
=head2 post_bug_after_creation
......
......@@ -29,6 +29,20 @@ use constant REL_EXAMPLE => -127;
our $VERSION = '1.0';
sub admin_editusers_action {
my ($self, $args) = @_;
my ($vars, $action, $user) = @$args{qw(vars action user)};
my $template = Bugzilla->template;
if ($action eq 'my_action') {
# Allow to restrict the search to any group the user is allowed to bless.
$vars->{'restrictablegroups'} = $user->bless_groups();
$template->process('admin/users/search.html.tmpl', $vars)
|| ThrowTemplateError($template->error());
exit;
}
}
sub attachment_process_data {
my ($self, $args) = @_;
my $type = $args->{attributes}->{mimetype};
......@@ -65,6 +79,44 @@ sub auth_verify_methods {
}
}
sub bug_check_can_change_field {
my ($self, $args) = @_;
my ($bug, $field, $new_value, $old_value, $priv_results)
= @$args{qw(bug field new_value old_value priv_results)};
my $user = Bugzilla->user;
# Disallow a bug from being reopened if currently closed unless user
# is in 'admin' group
if ($field eq 'bug_status' && $bug->product_obj->name eq 'Example') {
if (!is_open_state($old_value) && is_open_state($new_value)
&& !$user->in_group('admin'))
{
push(@$priv_results, PRIVILEGES_REQUIRED_EMPOWERED);
return;
}
}
# Disallow a bug's keywords from being edited unless user is the
# reporter of the bug
if ($field eq 'keywords' && $bug->product_obj->name eq 'Example'
&& $user->login ne $bug->reporter->login)
{
push(@$priv_results, PRIVILEGES_REQUIRED_REPORTER);
return;
}
# Allow updating of priority even if user cannot normally edit the bug
# and they are in group 'engineering'
if ($field eq 'priority' && $bug->product_obj->name eq 'Example'
&& $user->in_group('engineering'))
{
push(@$priv_results, PRIVILEGES_REQUIRED_NONE);
return;
}
}
sub bug_columns {
my ($self, $args) = @_;
my $columns = $args->{'columns'};
......@@ -676,6 +728,12 @@ sub page_before_template {
}
}
sub path_info_whitelist {
my ($self, $args) = @_;
my $whitelist = $args->{whitelist};
push(@$whitelist, "page.cgi");
}
sub post_bug_after_creation {
my ($self, $args) = @_;
......@@ -804,58 +862,6 @@ sub template_before_process {
}
}
sub bug_check_can_change_field {
my ($self, $args) = @_;
my ($bug, $field, $new_value, $old_value, $priv_results)
= @$args{qw(bug field new_value old_value priv_results)};
my $user = Bugzilla->user;
# Disallow a bug from being reopened if currently closed unless user
# is in 'admin' group
if ($field eq 'bug_status' && $bug->product_obj->name eq 'Example') {
if (!is_open_state($old_value) && is_open_state($new_value)
&& !$user->in_group('admin'))
{
push(@$priv_results, PRIVILEGES_REQUIRED_EMPOWERED);
return;
}
}
# Disallow a bug's keywords from being edited unless user is the
# reporter of the bug
if ($field eq 'keywords' && $bug->product_obj->name eq 'Example'
&& $user->login ne $bug->reporter->login)
{
push(@$priv_results, PRIVILEGES_REQUIRED_REPORTER);
return;
}
# Allow updating of priority even if user cannot normally edit the bug
# and they are in group 'engineering'
if ($field eq 'priority' && $bug->product_obj->name eq 'Example'
&& $user->in_group('engineering'))
{
push(@$priv_results, PRIVILEGES_REQUIRED_NONE);
return;
}
}
sub admin_editusers_action {
my ($self, $args) = @_;
my ($vars, $action, $user) = @$args{qw(vars action user)};
my $template = Bugzilla->template;
if ($action eq 'my_action') {
# Allow to restrict the search to any group the user is allowed to bless.
$vars->{'restrictablegroups'} = $user->bless_groups();
$template->process('admin/users/search.html.tmpl', $vars)
|| ThrowTemplateError($template->error());
exit;
}
}
sub user_preferences {
my ($self, $args) = @_;
my $tab = $args->{current_tab};
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment