aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorjustdave%syndicomm.com <>2001-06-06 11:32:45 +0000
committerjustdave%syndicomm.com <>2001-06-06 11:32:45 +0000
commit6d9f4df1cac372b2bfbcdb1fe947c302964fb509 (patch)
tree1725d60f44145f3cbb504edc663cf49464fa7134
parentFix for bug 28458: "NEW" bugs were not getting CC or QA Contact information d... (diff)
downloadbugzilla-6d9f4df1cac372b2bfbcdb1fe947c302964fb509.tar.gz
bugzilla-6d9f4df1cac372b2bfbcdb1fe947c302964fb509.tar.bz2
bugzilla-6d9f4df1cac372b2bfbcdb1fe947c302964fb509.zip
Fix for bug 82781: describecomponents.cgi now checks viewing permissions to make sure you can see a product
Patch by Myk Melez <myk@mozilla.org> r= tara@tequilarista.org
-rwxr-xr-xdescribecomponents.cgi44
1 files changed, 42 insertions, 2 deletions
diff --git a/describecomponents.cgi b/describecomponents.cgi
index 4353af2fc..95f5ba316 100755
--- a/describecomponents.cgi
+++ b/describecomponents.cgi
@@ -30,10 +30,50 @@ require "CGI.pl";
ConnectToDatabase();
GetVersionTable();
+quietly_check_login();
+
+######################################################################
+# Begin Data/Security Validation
+######################################################################
+
+# If this installation uses bug groups to restrict access to products,
+# only show the user products that don't have their own bug group or
+# those whose bug group the user is a member of. Otherwise, if this
+# installation doesn't use bug groups, show the user all legal products.
+my @products;
+if ( Param("usebuggroups") ) {
+ @products = grep( !GroupExists($_) || UserInGroup($_) , @::legal_product );
+} else {
+ @products = @::legal_product;
+}
+
+if ( defined $::FORM{'product'} ) {
+ # Make sure the user specified a valid product name. Note that
+ # if the user specifies a valid product name but is not authorized
+ # to access that product, they will receive a different error message
+ # which could enable people guessing product names to determine
+ # whether or not certain products exist in Bugzilla, even if they
+ # cannot get any other information about that product.
+ grep( $::FORM{'product'} eq $_ , @::legal_product )
+ || DisplayError("The product name is invalid.")
+ && exit;
+
+ # Make sure the user is authorized to access this product.
+ if ( Param("usebuggroups") && GroupExists($::FORM{'product'}) ) {
+ UserInGroup($::FORM{'product'})
+ || DisplayError("You are not authorized to access that product.")
+ && exit;
+ }
+}
+
+######################################################################
+# End Data/Security Validation
+######################################################################
+
print "Content-type: text/html\n\n";
my $product = $::FORM{'product'};
-if (!defined $product || lsearch(\@::legal_product, $product) < 0) {
+if (!defined $product || lsearch(\@products, $product) < 0) {
PutHeader("Bugzilla component description");
print "
@@ -42,7 +82,7 @@ Please specify the product whose components you want described.
<P>
Product: <SELECT NAME=product>
";
- print make_options(\@::legal_product);
+ print make_options(\@products);
print "
</SELECT>
<P>