Bug 141593 You can add/remove dependencies on bugs you can't see

Patch by Joel Peshkin <bugreport@peshkin.net> r=lpsolit, a=justdave
2024-10-10 20:05:49 +00:00 · 2005-10-18 21:12:47 +00:00 · 2005-10-18 21:12:47 +00:00 · 36cc87edeb
commit 36cc87edeb
parent 43c1bd84c0
3 changed files with 33 additions and 8 deletions
--- a/webtools/bugzilla/post_bug.cgi
+++ b/webtools/bugzilla/post_bug.cgi
@ -261,7 +261,9 @@ foreach my $field ("dependson", "blocked") {
        my @validvalues;
        foreach my $id (split(/[\s,]+/, $cgi->param($field))) {
            next unless $id;
-            ValidateBugID($id, $field);
+            # $field is not passed to ValidateBugID to prevent adding new 
+            # dependencies on inacessible bugs.
+            ValidateBugID($id);
            push(@validvalues, $id);
        }
        $cgi->param(-name => $field, -value => join(",", @validvalues));
--- a/webtools/bugzilla/process_bug.cgi
+++ b/webtools/bugzilla/process_bug.cgi
@ -43,6 +43,7 @@ use strict;
 my $UserInEditGroupSet = -1;
 my $UserInCanConfirmGroupSet = -1;
 my $PrivilegesRequired = 0;
+my $lastbugid = 0;

 use lib qw(.);

@ -144,14 +145,32 @@ ValidateComment(scalar $cgi->param('comment'));
 # is a bug alias that gets converted to its corresponding bug ID
 # during validation.
 foreach my $field ("dependson", "blocked") {
-    if ($cgi->param($field)) {
-        my @validvalues;
+    if ($cgi->param('id')) {
+        my $bug = new Bugzilla::Bug($cgi->param('id'), $user->id);
+        my @old = @{$bug->$field};
+        my @new;
        foreach my $id (split(/[\s,]+/, $cgi->param($field))) {
            next unless $id;
            ValidateBugID($id, $field);
-            push(@validvalues, $id);
+            push @new, $id;
        }
-        $cgi->param($field, join(",", @validvalues));
+        $cgi->param($field, join(",", @new));
+        my ($added, $removed) = Bugzilla::Util::diff_arrays(\@old, \@new);
+        foreach my $id (@$added , @$removed) {
+            # ValidateBugID is called without $field here so that it will
+            # throw an error if any of the changed bugs are not visible.
+            ValidateBugID($id);
+            if (!CheckCanChangeField($field, $bug->bug_id, 0, 1)) {
+                $vars->{'privs'} = $PrivilegesRequired;
+                $vars->{'field'} = $field;
+                ThrowUserError("illegal_change", $vars);
+            }
+        }
+    } else {
+        # Bugzilla does not support mass-change of dependencies so they
+        # are not validated.  To prevent a URL-hacking risk, the dependencies
+        # are deleted for mass-changes.
+        $cgi->delete($field);
    }
 }

@ -353,7 +372,6 @@ if (((defined $cgi->param('id') && $cgi->param('product') ne $oldproduct)
 # now, the rules are pretty simple, and don't look at the field itself very
 # much, but that could be enhanced.

-my $lastbugid = 0;
 my $ownerid;
 my $reporterid;
 my $qacontactid;
--- a/webtools/bugzilla/template/en/default/global/user-error.html.tmpl
+++ b/webtools/bugzilla/template/en/default/global/user-error.html.tmpl
@ -524,8 +524,13 @@
    [% title = "Not allowed" %]
    You tried to change the 
    <strong>[% field_descs.$field FILTER html %]</strong> field 
-    from <em>[% oldvalue FILTER html %]</em> to 
-    <em>[% newvalue FILTER html %]</em>, but only
+    [% IF oldvalue %]
+      from <em>[% oldvalue FILTER html %]</em>
+    [% END %]
+    [% IF newvalue %]
+      to <em>[% newvalue FILTER html %]</em>
+    [% END %]
+    , but only
    [% IF privs < 3 %]
      the assignee
      [% IF privs < 2 %] or reporter [% END %]