aboutsummaryrefslogtreecommitdiffstats
path: root/process_bug.cgi
diff options
context:
space:
mode:
authorbugreport%peshkin.net <>2005-10-19 04:12:45 +0000
committerbugreport%peshkin.net <>2005-10-19 04:12:45 +0000
commit89222752d44a4c99e6b901e95adf9e613d705815 (patch)
treee7432b5b71d968e55f20fb04c412b524395ba85b /process_bug.cgi
parent6372dbd5d9f79a86989897a14647ef5a4b0363eb (diff)
downloadbugs-89222752d44a4c99e6b901e95adf9e613d705815.tar
bugs-89222752d44a4c99e6b901e95adf9e613d705815.tar.gz
bugs-89222752d44a4c99e6b901e95adf9e613d705815.tar.bz2
bugs-89222752d44a4c99e6b901e95adf9e613d705815.tar.xz
bugs-89222752d44a4c99e6b901e95adf9e613d705815.zip
Bug 141593 You can add/remove dependencies on bugs you can't see
Patch by Joel Peshkin <bugreport@peshkin.net> r=lpsolit, a=justdave
Diffstat (limited to 'process_bug.cgi')
-rwxr-xr-xprocess_bug.cgi28
1 files changed, 23 insertions, 5 deletions
diff --git a/process_bug.cgi b/process_bug.cgi
index 0cc4a224f..adb6a3ded 100755
--- a/process_bug.cgi
+++ b/process_bug.cgi
@@ -43,6 +43,7 @@ use strict;
my $UserInEditGroupSet = -1;
my $UserInCanConfirmGroupSet = -1;
my $PrivilegesRequired = 0;
+my $lastbugid = 0;
use lib qw(.);
@@ -144,14 +145,32 @@ ValidateComment(scalar $cgi->param('comment'));
# is a bug alias that gets converted to its corresponding bug ID
# during validation.
foreach my $field ("dependson", "blocked") {
- if ($cgi->param($field)) {
- my @validvalues;
+ if ($cgi->param('id')) {
+ my $bug = new Bugzilla::Bug($cgi->param('id'), $user->id);
+ my @old = @{$bug->$field};
+ my @new;
foreach my $id (split(/[\s,]+/, $cgi->param($field))) {
next unless $id;
ValidateBugID($id, $field);
- push(@validvalues, $id);
+ push @new, $id;
+ }
+ $cgi->param($field, join(",", @new));
+ my ($added, $removed) = Bugzilla::Util::diff_arrays(\@old, \@new);
+ foreach my $id (@$added , @$removed) {
+ # ValidateBugID is called without $field here so that it will
+ # throw an error if any of the changed bugs are not visible.
+ ValidateBugID($id);
+ if (!CheckCanChangeField($field, $bug->bug_id, 0, 1)) {
+ $vars->{'privs'} = $PrivilegesRequired;
+ $vars->{'field'} = $field;
+ ThrowUserError("illegal_change", $vars);
+ }
}
- $cgi->param($field, join(",", @validvalues));
+ } else {
+ # Bugzilla does not support mass-change of dependencies so they
+ # are not validated. To prevent a URL-hacking risk, the dependencies
+ # are deleted for mass-changes.
+ $cgi->delete($field);
}
}
@@ -353,7 +372,6 @@ if (((defined $cgi->param('id') && $cgi->param('product') ne $oldproduct)
# now, the rules are pretty simple, and don't look at the field itself very
# much, but that could be enhanced.
-my $lastbugid = 0;
my $ownerid;
my $reporterid;
my $qacontactid;