Fix for bug 46002 (reports.cgi allows users to view restricted products).

Patch submitted by jmrobins@tgix.com (Joe Robins)
2025-02-03 20:49:27 +00:00 · 2000-07-21 17:00:40 +00:00 · 2000-07-21 17:00:40 +00:00 · 8ac9893990
commit 8ac9893990
parent d81b052255
1 changed files with 34 additions and 1 deletions
--- a/webtools/bugzilla/reports.cgi
+++ b/webtools/bugzilla/reports.cgi
@ -25,6 +25,9 @@
 #    Added -All- report, change "nobanner" to "banner" (it is strange to have a
 #    list with 2 positive and 1 negative choice), default links on, add show
 #    sql comment.
+# Joe Robins <jmrobins@tgix.com>,
+#    If using the usebuggroups parameter, users shouldn't be able to see
+#    reports for products they don't have access to.

 use diagnostics;
 use strict;
@ -52,6 +55,10 @@ my %reports =
 	"show_chart" => \&show_chart,
 	);

+# If we're using bug groups for products, we should apply those restrictions
+# to viewing reports, as well.  Time to check the login in that case.
+quietly_check_login();
+
 print "Content-type: text/html\n";
 print "Content-disposition: attachment; filename=bugzilla_report.html\n\n";

@ -68,8 +75,21 @@ else
 ConnectToDatabase(1);
 GetVersionTable();

+# If the usebuggroups parameter is set, we don't want to list all products.
+# We only want those products that the user has permissions for.
 my @myproducts;
-push( @myproducts, "-All-", @::legal_product );
+if(Param("usebuggroups")) {
+  push( @myproducts, "-All-");
+  foreach my $this_product (@::legal_product) {
+    if(GroupExists($this_product) && !UserInGroup($this_product)) {
+      next;
+    } else {
+      push( @myproducts, $this_product )
+    }
+  }
+} else {
+  push( @myproducts, "-All-", @::legal_product );
+}

 $::FORM{'output'} = $::FORM{'output'} || "most_doomed"; # a reasonable default

@ -79,6 +99,19 @@ if (! defined $::FORM{'product'})
 	}
 else
 	{
+          # If usebuggroups is on, we don't want people to be able to view
+          # reports for products they don't have permissions for...
+          if(Param("usebuggroups") &&
+             GroupExists($::FORM{'product'}) &&
+             !UserInGroup($::FORM{'product'})) {
+            print "<H1>Permission denied.</H1>\n";
+            print "Sorry; you do not have the permissions necessary to view\n";
+            print "reports for this product.\n";
+            print "<P>\n";
+            PutFooter();
+            exit;
+          }
+          
 	# we want to be careful about what subroutines 
 	# can be called from outside. modify %reports
 	# accordingly when a new report type is added