diff options
| author |   bugreport%peshkin.net <> | 2004-07-06 08:12:29 +0000 |
|---|---|---|
| committer | bugreport%peshkin.net <> | 2004-07-06 08:12:29 +0000 |
| commit | 73fd49ff3bbff6244802ba548bb22c2be39014e1 (patch) | |
| tree | f7b78fde82e5557d604de9282d19c235dfc3dea1 | |
| parent | Bug 249862: remove duplicate </tr> from login page (diff) | |
| download | bugzilla-73fd49ff3bbff6244802ba548bb22c2be39014e1.tar.gz bugzilla-73fd49ff3bbff6244802ba548bb22c2be39014e1.tar.bz2 bugzilla-73fd49ff3bbff6244802ba548bb22c2be39014e1.zip | |
Bug 243463 Use a param to protect new charts from leaking information
r=justdave
a=justdave
| -rwxr-xr-x | chart.cgi | 4 | ||||
| -rw-r--r-- | defparams.pl | 11 | ||||
| -rwxr-xr-x | editproducts.cgi | 59 | ||||
| -rw-r--r-- | template/en/default/reports/menu.html.tmpl | 10 |
4 files changed, 53 insertions, 31 deletions
@@ -84,6 +84,10 @@ if ($action eq "search") { Bugzilla->login(LOGIN_REQUIRED); +UserInGroup(Param("chartgroup")) + || ThrowUserError("authorization_failure", + {action => "use this feature"}); + # Only admins may create public queries UserInGroup('admin') || $cgi->delete('public'); diff --git a/defparams.pl b/defparams.pl index 849c033ea..6861d0447 100644 --- a/defparams.pl +++ b/defparams.pl @@ -1035,6 +1035,17 @@ Reason: %reason% }, { + name => 'chartgroup', + desc => 'The name of the group of users who can use the "New Charts" ' . + 'feature. Administrators should ensure that the public categories ' . + 'and series definitions do not divulge unwanted information ' . + 'before enabling this for an untrusted population. If left blank, ' . + 'no users will be able to use New Charts.', + type => 't', + default => '' + }, + + { name => 'insidergroup', desc => 'The name of the group of users who can see/change private ' . 'comments and attachments.', diff --git a/editproducts.cgi b/editproducts.cgi index 8cf9a309d..6d33c8080 100755 --- a/editproducts.cgi +++ b/editproducts.cgi @@ -271,6 +271,10 @@ if ($action eq 'add') { print "</TR><TR>\n"; print " <TH ALIGN=\"right\">Version:</TH>\n"; print " <TD><INPUT SIZE=64 MAXLENGTH=255 NAME=\"version\" VALUE=\"unspecified\"></TD>\n"; + print "</TR><TR>\n"; + print " <TH ALIGN=\"right\">Create chart datasets for this product:</TH>\n"; + print " <TD><INPUT TYPE=CHECKBOX NAME=\"createseries\" VALUE=1></TD>"; + print "</TR>\n"; print "</TABLE>\n<HR>\n"; print "<INPUT TYPE=SUBMIT VALUE=\"Add\">\n"; @@ -389,36 +393,37 @@ if ($action eq 'new') { CONTROLMAPNA . ", 0)"); } - # Insert default charting queries for this product. - # If they aren't using charting, this won't do any harm. - GetVersionTable(); - - my @series; - - # We do every status, every resolution, and an "opened" one as well. - foreach my $bug_status (@::legal_bug_status) { - push(@series, [$bug_status, "bug_status=$bug_status"]); - } + if ($::FORM{createseries}) { + # Insert default charting queries for this product. + # If they aren't using charting, this won't do any harm. + GetVersionTable(); + + my @series; + + # We do every status, every resolution, and an "opened" one as well. + foreach my $bug_status (@::legal_bug_status) { + push(@series, [$bug_status, "bug_status=$bug_status"]); + } - foreach my $resolution (@::legal_resolution) { - next if !$resolution; - push(@series, [$resolution, "resolution=$resolution"]); - } + foreach my $resolution (@::legal_resolution) { + next if !$resolution; + push(@series, [$resolution, "resolution=$resolution"]); + } - # For localisation reasons, we get the name of the "global" subcategory - # and the title of the "open" query from the submitted form. - my @openedstatuses = ("UNCONFIRMED", "NEW", "ASSIGNED", "REOPENED"); - my $query = join("&", map { "bug_status=$_" } @openedstatuses); - push(@series, [$::FORM{'open_name'}, $query]); - - foreach my $sdata (@series) { - my $series = new Bugzilla::Series(undef, $product, - $::FORM{'subcategory'}, - $sdata->[0], $::userid, 1, - $sdata->[1] . "&product=$product", 1); - $series->writeToDatabase(); + # For localisation reasons, we get the name of the "global" subcategory + # and the title of the "open" query from the submitted form. + my @openedstatuses = ("UNCONFIRMED", "NEW", "ASSIGNED", "REOPENED"); + my $query = join("&", map { "bug_status=$_" } @openedstatuses); + push(@series, [$::FORM{'open_name'}, $query]); + + foreach my $sdata (@series) { + my $series = new Bugzilla::Series(undef, $product, + $::FORM{'subcategory'}, + $sdata->[0], $::userid, 1, + $sdata->[1] . "&product=$product", 1); + $series->writeToDatabase(); + } } - # Make versioncache flush unlink "$datadir/versioncache"; diff --git a/template/en/default/reports/menu.html.tmpl b/template/en/default/reports/menu.html.tmpl index 7481790fd..5ac1516d5 100644 --- a/template/en/default/reports/menu.html.tmpl +++ b/template/en/default/reports/menu.html.tmpl @@ -64,10 +64,12 @@ plot the status and/or resolution of [% terms.bugs %] against time, for each product in your database. </li> - <li> - <strong><a href="chart.cgi">New Charts</a></strong> - - plot any arbitrary search against time. Far more powerful. - </li> + [% IF UserInGroup(Param("chartgroup")) %] + <li> + <strong><a href="chart.cgi">New Charts</a></strong> - + plot any arbitrary search against time. Far more powerful. + </li> + [% END %] </ul> [% PROCESS global/footer.html.tmpl %] |