From 89222752d44a4c99e6b901e95adf9e613d705815 Mon Sep 17 00:00:00 2001 From: "bugreport%peshkin.net" <> Date: Wed, 19 Oct 2005 04:12:45 +0000 Subject: Bug 141593 You can add/remove dependencies on bugs you can't see Patch by Joel Peshkin r=lpsolit, a=justdave --- process_bug.cgi | 28 +++++++++++++++++++++++----- 1 file changed, 23 insertions(+), 5 deletions(-) (limited to 'process_bug.cgi') diff --git a/process_bug.cgi b/process_bug.cgi index 0cc4a224f..adb6a3ded 100755 --- a/process_bug.cgi +++ b/process_bug.cgi @@ -43,6 +43,7 @@ use strict; my $UserInEditGroupSet = -1; my $UserInCanConfirmGroupSet = -1; my $PrivilegesRequired = 0; +my $lastbugid = 0; use lib qw(.); @@ -144,14 +145,32 @@ ValidateComment(scalar $cgi->param('comment')); # is a bug alias that gets converted to its corresponding bug ID # during validation. foreach my $field ("dependson", "blocked") { - if ($cgi->param($field)) { - my @validvalues; + if ($cgi->param('id')) { + my $bug = new Bugzilla::Bug($cgi->param('id'), $user->id); + my @old = @{$bug->$field}; + my @new; foreach my $id (split(/[\s,]+/, $cgi->param($field))) { next unless $id; ValidateBugID($id, $field); - push(@validvalues, $id); + push @new, $id; + } + $cgi->param($field, join(",", @new)); + my ($added, $removed) = Bugzilla::Util::diff_arrays(\@old, \@new); + foreach my $id (@$added , @$removed) { + # ValidateBugID is called without $field here so that it will + # throw an error if any of the changed bugs are not visible. + ValidateBugID($id); + if (!CheckCanChangeField($field, $bug->bug_id, 0, 1)) { + $vars->{'privs'} = $PrivilegesRequired; + $vars->{'field'} = $field; + ThrowUserError("illegal_change", $vars); + } } - $cgi->param($field, join(",", @validvalues)); + } else { + # Bugzilla does not support mass-change of dependencies so they + # are not validated. To prevent a URL-hacking risk, the dependencies + # are deleted for mass-changes. + $cgi->delete($field); } } @@ -353,7 +372,6 @@ if (((defined $cgi->param('id') && $cgi->param('product') ne $oldproduct) # now, the rules are pretty simple, and don't look at the field itself very # much, but that could be enhanced. -my $lastbugid = 0; my $ownerid; my $reporterid; my $qacontactid; -- cgit v1.2.1