Commit a1d58085 authored by jocuri%softhome.net's avatar jocuri%softhome.net

Patch for bug 265898: edit*.cgi files should all use ThrowUserError(); patch by…

Patch for bug 265898: edit*.cgi files should all use ThrowUserError(); patch by Frédéric Buclin <LpSolit@gmail.com>, r=vladd, a=myk.
parent 0d26bef4
...@@ -85,8 +85,9 @@ if ($action eq "search") { ...@@ -85,8 +85,9 @@ if ($action eq "search") {
Bugzilla->login(LOGIN_REQUIRED); Bugzilla->login(LOGIN_REQUIRED);
UserInGroup(Param("chartgroup")) UserInGroup(Param("chartgroup"))
|| ThrowUserError("authorization_failure", || ThrowUserError("auth_failure", {group => Param("chartgroup"),
{action => "use this feature"}); action => "use",
object => "charts"});
# Only admins may create public queries # Only admins may create public queries
UserInGroup('admin') || $cgi->delete('public'); UserInGroup('admin') || $cgi->delete('public');
......
...@@ -78,7 +78,11 @@ Bugzilla->login(LOGIN_REQUIRED); ...@@ -78,7 +78,11 @@ Bugzilla->login(LOGIN_REQUIRED);
print $cgi->header(); print $cgi->header();
ThrowUserError("auth_cant_edit_classifications") unless UserInGroup("editclassifications"); UserInGroup("editclassifications")
|| ThrowUserError("auth_failure", {group => "editclassifications",
action => "edit",
object => "classifications"});
ThrowUserError("auth_classification_not_enabled") unless Param("useclassification"); ThrowUserError("auth_classification_not_enabled") unless Param("useclassification");
# #
......
...@@ -117,11 +117,10 @@ Bugzilla->login(LOGIN_REQUIRED); ...@@ -117,11 +117,10 @@ Bugzilla->login(LOGIN_REQUIRED);
print Bugzilla->cgi->header(); print Bugzilla->cgi->header();
unless (UserInGroup("editcomponents")) { UserInGroup("editcomponents")
ThrowUserError('auth_cant_edit_components'); || ThrowUserError("auth_failure", {group => "editcomponents",
exit; action => "edit",
} object => "components"});
# #
# often used variables # often used variables
......
...@@ -42,8 +42,9 @@ use vars qw( $template $vars ); ...@@ -42,8 +42,9 @@ use vars qw( $template $vars );
# Make sure the user is logged in and is an administrator. # Make sure the user is logged in and is an administrator.
Bugzilla->login(LOGIN_REQUIRED); Bugzilla->login(LOGIN_REQUIRED);
UserInGroup("editcomponents") UserInGroup("editcomponents")
|| ThrowUserError("authorization_failure", || ThrowUserError("auth_failure", {group => "editcomponents",
{ action => "administer flag types" }); action => "edit",
object => "flagtypes"});
# Suppress "used only once" warnings. # Suppress "used only once" warnings.
use vars qw(@legal_product @legal_components %components); use vars qw(@legal_product @legal_components %components);
......
...@@ -40,7 +40,10 @@ Bugzilla->login(LOGIN_REQUIRED); ...@@ -40,7 +40,10 @@ Bugzilla->login(LOGIN_REQUIRED);
print Bugzilla->cgi->header(); print Bugzilla->cgi->header();
ThrowUserError("auth_cant_edit_groups") unless UserInGroup("creategroups"); UserInGroup("creategroups")
|| ThrowUserError("auth_failure", {group => "creategroups",
action => "edit",
object => "groups"});
my $action = trim($cgi->param('action') || ''); my $action = trim($cgi->param('action') || '');
......
...@@ -58,11 +58,10 @@ Bugzilla->login(LOGIN_REQUIRED); ...@@ -58,11 +58,10 @@ Bugzilla->login(LOGIN_REQUIRED);
print Bugzilla->cgi->header(); print Bugzilla->cgi->header();
unless (UserInGroup("editkeywords")) { UserInGroup("editkeywords")
ThrowUserError("keyword_access_denied"); || ThrowUserError("auth_failure", {group => "editkeywords",
exit; action => "edit",
} object => "keywords"});
my $action = trim($cgi->param('action') || ''); my $action = trim($cgi->param('action') || '');
$vars->{'action'} = $action; $vars->{'action'} = $action;
......
...@@ -125,11 +125,10 @@ Bugzilla->login(LOGIN_REQUIRED); ...@@ -125,11 +125,10 @@ Bugzilla->login(LOGIN_REQUIRED);
print Bugzilla->cgi->header(); print Bugzilla->cgi->header();
unless (UserInGroup("editcomponents")) { UserInGroup("editcomponents")
ThrowUserError('auth_cant_edit_milestones'); || ThrowUserError("auth_failure", {group => "editcomponents",
exit; action => "edit",
} object => "milestones"});
# #
# often used variables # often used variables
......
...@@ -34,14 +34,10 @@ Bugzilla->login(LOGIN_REQUIRED); ...@@ -34,14 +34,10 @@ Bugzilla->login(LOGIN_REQUIRED);
print Bugzilla->cgi->header(); print Bugzilla->cgi->header();
if (!UserInGroup("tweakparams")) { UserInGroup("tweakparams")
print "<H1>Sorry, you aren't a member of the 'tweakparams' group.</H1>\n"; || ThrowUserError("auth_failure", {group => "tweakparams",
print "And so, you aren't allowed to edit the parameters.\n"; action => "modify",
PutFooter(); object => "parameters"});
exit;
}
PutHeader("Edit parameters"); PutHeader("Edit parameters");
......
...@@ -244,15 +244,10 @@ Bugzilla->login(LOGIN_REQUIRED); ...@@ -244,15 +244,10 @@ Bugzilla->login(LOGIN_REQUIRED);
print Bugzilla->cgi->header(); print Bugzilla->cgi->header();
unless (UserInGroup("editcomponents")) { UserInGroup("editcomponents")
PutHeader("Not allowed"); || ThrowUserError("auth_failure", {group => "editcomponents",
print "Sorry, you aren't a member of the 'editcomponents' group.\n"; action => "edit",
print "And so, you aren't allowed to add, modify or delete products.\n"; object => "products"});
PutTrailer();
exit;
}
# #
# often used variables # often used variables
......
...@@ -243,17 +243,12 @@ print Bugzilla->cgi->header(); ...@@ -243,17 +243,12 @@ print Bugzilla->cgi->header();
$editall = UserInGroup("editusers"); $editall = UserInGroup("editusers");
if (!$editall) { $editall
if (!Bugzilla->user->can_bless) { || Bugzilla->user->can_bless
PutHeader("Not allowed"); || ThrowUserError("auth_failure", {group => "editusers",
print "Sorry, you aren't a member of the 'editusers' group, and you\n"; reason => "cant_bless",
print "don't have permissions to put people in or out of any group.\n"; action => "edit",
print "And so, you aren't allowed to add, modify or delete users.\n"; object => "users"});
PutTrailer();
exit;
}
}
# #
...@@ -385,13 +380,10 @@ if ($action eq 'list') { ...@@ -385,13 +380,10 @@ if ($action eq 'list') {
# #
if ($action eq 'add') { if ($action eq 'add') {
$editall || ThrowUserError("auth_failure", {group => "editusers",
action => "add",
object => "users"});
PutHeader("Add user"); PutHeader("Add user");
if (!$editall) {
print "Sorry, you don't have permissions to add new users.";
PutTrailer();
exit;
}
print "<FORM METHOD=POST ACTION=editusers.cgi>\n"; print "<FORM METHOD=POST ACTION=editusers.cgi>\n";
print "<TABLE BORDER=0 CELLPADDING=4 CELLSPACING=0><TR>\n"; print "<TABLE BORDER=0 CELLPADDING=4 CELLSPACING=0><TR>\n";
...@@ -415,13 +407,9 @@ if ($action eq 'add') { ...@@ -415,13 +407,9 @@ if ($action eq 'add') {
# #
if ($action eq 'new') { if ($action eq 'new') {
PutHeader("Adding new user"); $editall || ThrowUserError("auth_failure", {group => "editusers",
action => "add",
if (!$editall) { object => "users"});
print "Sorry, you don't have permissions to add new users.";
PutTrailer();
exit;
}
# Cleanups and valididy checks # Cleanups and valididy checks
my $realname = trim($::FORM{realname} || ''); my $realname = trim($::FORM{realname} || '');
...@@ -432,6 +420,7 @@ if ($action eq 'new') { ...@@ -432,6 +420,7 @@ if ($action eq 'new') {
my $disabledtext = trim($::FORM{disabledtext} || ''); my $disabledtext = trim($::FORM{disabledtext} || '');
my $emailregexp = Param("emailregexp"); my $emailregexp = Param("emailregexp");
PutHeader("Adding new user");
unless ($user) { unless ($user) {
print "You must enter a name for the new user. Please press\n"; print "You must enter a name for the new user. Please press\n";
print "<b>Back</b> and try again.\n"; print "<b>Back</b> and try again.\n";
...@@ -494,17 +483,10 @@ if ($action eq 'new') { ...@@ -494,17 +483,10 @@ if ($action eq 'new') {
# #
if ($action eq 'del') { if ($action eq 'del') {
PutHeader("Delete user $user"); $candelete || ThrowUserError("users_deletion_disabled");
if (!$candelete) { $editall || ThrowUserError("auth_failure", {group => "editusers",
print "Sorry, deleting users isn't allowed."; action => "delete",
PutTrailer(); object => "users"});
exit;
}
if (!$editall) {
print "Sorry, you don't have permissions to delete users.";
PutTrailer();
exit;
}
CheckUser($user); CheckUser($user);
# display some data about the user # display some data about the user
...@@ -514,6 +496,7 @@ if ($action eq 'del') { ...@@ -514,6 +496,7 @@ if ($action eq 'del') {
FetchSQLData(); FetchSQLData();
$realname = ($realname ? html_quote($realname) : "<FONT COLOR=\"red\">missing</FONT>"); $realname = ($realname ? html_quote($realname) : "<FONT COLOR=\"red\">missing</FONT>");
PutHeader("Delete user $user");
print "<TABLE BORDER=1 CELLPADDING=4 CELLSPACING=0>\n"; print "<TABLE BORDER=1 CELLPADDING=4 CELLSPACING=0>\n";
print "<TR BGCOLOR=\"#6666FF\">\n"; print "<TR BGCOLOR=\"#6666FF\">\n";
print " <TH VALIGN=\"top\" ALIGN=\"left\">Part</TH>\n"; print " <TH VALIGN=\"top\" ALIGN=\"left\">Part</TH>\n";
...@@ -628,17 +611,10 @@ if ($action eq 'del') { ...@@ -628,17 +611,10 @@ if ($action eq 'del') {
# #
if ($action eq 'delete') { if ($action eq 'delete') {
PutHeader("Deleting user"); $candelete || ThrowUserError("users_deletion_disabled");
if (!$candelete) { $editall || ThrowUserError("auth_failure", {group => "editusers",
print "Sorry, deleting users isn't allowed."; action => "delete",
PutTrailer(); object => "users"});
exit;
}
if (!$editall) {
print "Sorry, you don't have permissions to delete users.";
PutTrailer();
exit;
}
CheckUser($user); CheckUser($user);
SendSQL("SELECT userid SendSQL("SELECT userid
...@@ -651,8 +627,9 @@ if ($action eq 'delete') { ...@@ -651,8 +627,9 @@ if ($action eq 'delete') {
WHERE login_name=" . SqlQuote($user)); WHERE login_name=" . SqlQuote($user));
SendSQL("DELETE FROM user_group_map SendSQL("DELETE FROM user_group_map
WHERE user_id=" . $userid); WHERE user_id=" . $userid);
print "User deleted.<BR>\n";
PutHeader("Deleting user");
print "User deleted.<BR>\n";
PutTrailer($localtrailer); PutTrailer($localtrailer);
exit; exit;
} }
......
...@@ -72,7 +72,10 @@ my $sth; # database statement handle ...@@ -72,7 +72,10 @@ my $sth; # database statement handle
my $events = get_events($userid); my $events = get_events($userid);
# First see if this user may use whines # First see if this user may use whines
ThrowUserError('whine_access_denied') unless (UserInGroup('bz_canusewhines')); UserInGroup("bz_canusewhines")
|| ThrowUserError("auth_failure", {group => "bz_canusewhines",
action => "schedule",
object => "reports"});
# May this user send mail to other users? # May this user send mail to other users?
my $can_mail_others = UserInGroup('bz_canusewhineatothers'); my $can_mail_others = UserInGroup('bz_canusewhineatothers');
......
...@@ -17,6 +17,7 @@ ...@@ -17,6 +17,7 @@
# Rights Reserved. # Rights Reserved.
# #
# Contributor(s): Gervase Markham <gerv@gerv.net> # Contributor(s): Gervase Markham <gerv@gerv.net>
# Frédéric Buclin <LpSolit@netscape.net>
#%] #%]
[%# INTERFACE: [%# INTERFACE:
...@@ -96,14 +97,60 @@ ...@@ -96,14 +97,60 @@
account creation. Please contact an administrator to get a new account account creation. Please contact an administrator to get a new account
created. created.
[% ELSIF error == "auth_cant_edit_groups" %] [% ELSIF error == "auth_failure" %]
[% title = "Not authorized to edit groups" %] [% title = "Authorization Required" %]
Sorry, you aren't a member of the 'creategroups' group. And so, Sorry,
you aren't allowed to edit the groups. [% IF group %]
you aren't a member of the '[% group FILTER html %]' group,
[% END %]
[% IF reason %]
[% IF group %] and [% END %]
[% IF reason == "cant_bless" %]
you don't have permissions to put people in or out of any group,
[% END %]
[% END %]
and so you aren't allowed to
[% IF action == "add" %]
add new
[% ELSIF action == "modify" %]
modify
[% ELSIF action == "delete" %]
delete
[% ELSIF action == "edit" %]
add, modify or delete
[% ELSIF action == "schedule" %]
schedule
[% ELSIF action == "use" %]
use
[% END %]
[% ELSIF error == "authorization_failure" %] [% IF object == "charts" %]
[% title = "Authorization Failed" %] the "New Charts" feature
You are not allowed to [% action FILTER html %]. [% ELSIF object == "classifications" %]
classifications
[% ELSIF object == "components" %]
components
[% ELSIF object == "flagtypes" %]
flag types
[% ELSIF object == "groups" %]
groups
[% ELSIF object == "keywords" %]
keywords
[% ELSIF object == "milestones" %]
milestones
[% ELSIF object == "parameters" %]
parameters
[% ELSIF object == "products" %]
products
[% ELSIF object == "reports" %]
whine reports
[% ELSIF object == "users" %]
users
[% ELSIF object == "versions" %]
versions
[% END %].
[% ELSIF error == "attachment_access_denied" %] [% ELSIF error == "attachment_access_denied" %]
[% title = "Access Denied" %] [% title = "Access Denied" %]
...@@ -146,11 +193,6 @@ ...@@ -146,11 +193,6 @@
[% title = "Classification Not Enabled" %] [% title = "Classification Not Enabled" %]
Sorry, classification is not enabled. Sorry, classification is not enabled.
[% ELSIF error == "auth_cant_edit_classifications" %]
[% title = "Access Denied" %]
Sorry, you aren't a member of the 'editclassifications' group, and so
you aren't allowed to add, modify or delete classifications.
[% ELSIF error == "classification_not_specified" %] [% ELSIF error == "classification_not_specified" %]
[% title = "You Must Supply A Classification Name" %] [% title = "You Must Supply A Classification Name" %]
You must enter a classification name. You must enter a classification name.
...@@ -176,16 +218,6 @@ ...@@ -176,16 +218,6 @@
Sorry, but you can not delete the default classification, Sorry, but you can not delete the default classification,
'[% name FILTER html %]'. '[% name FILTER html %]'.
[% ELSIF error == "auth_cant_edit_components" %]
[% title = "Access Denied" %]
Sorry, you aren't a member of the 'editcomponents' group, and so
you aren't allowed to add, modify or delete components.
[% ELSIF error == "auth_cant_edit_milestones" %]
[% title = "Access Denied" %]
Sorry, you aren't a member of the 'editcomponents' group, and so
you aren't allowed to add, modify or delete milestones.
[% ELSIF error == "auth_cant_edit_versions" %] [% ELSIF error == "auth_cant_edit_versions" %]
[% title = "Access Denied" %] [% title = "Access Denied" %]
Sorry, you aren't a member of the 'editcomponents' group, and so Sorry, you aren't a member of the 'editcomponents' group, and so
...@@ -555,11 +587,6 @@ ...@@ -555,11 +587,6 @@
[% title = "Invalid Username Or Password" %] [% title = "Invalid Username Or Password" %]
The username or password you entered is not valid. The username or password you entered is not valid.
[% ELSIF error == "keyword_access_denied" %]
[% title = "Access Denied" %]
Sorry, you aren't a member of the 'editkeywords' group, and so
you aren't allowed to add, modify or delete keywords.
[% ELSIF error == "keyword_already_exists" %] [% ELSIF error == "keyword_already_exists" %]
[% title = "Keyword Already Exists" %] [% title = "Keyword Already Exists" %]
A keyword with the name [% name FILTER html %] already exists. A keyword with the name [% name FILTER html %] already exists.
...@@ -958,6 +985,10 @@ ...@@ -958,6 +985,10 @@
The version '[% version FILTER html %]' for product The version '[% version FILTER html %]' for product
'[% product FILTER html %]' does not exist. '[% product FILTER html %]' does not exist.
[% ELSIF error == "users_deletion_disabled" %]
[% title = "Deletion not activated" %]
Sorry, the deletion of user accounts is not allowed.
[% ELSIF error == "votes_must_be_nonnegative" %] [% ELSIF error == "votes_must_be_nonnegative" %]
[% title = "Votes Must Be Non-negative" %] [% title = "Votes Must Be Non-negative" %]
Only use non-negative numbers for your [% terms.bug %] votes. Only use non-negative numbers for your [% terms.bug %] votes.
...@@ -979,11 +1010,6 @@ ...@@ -979,11 +1010,6 @@
Value is out of range for field Value is out of range for field
<em>[% field_descs.$field FILTER html %]</em>. <em>[% field_descs.$field FILTER html %]</em>.
[% ELSIF error == "whine_access_denied" %]
[% title = "Access Denied" %]
Sorry, you aren't a member of the 'bz_canusewhines' group, and so
you aren't allowed to schedule whine reports.
[% ELSIF error == "zero_length_file" %] [% ELSIF error == "zero_length_file" %]
[% title = "File Is Empty" %] [% title = "File Is Empty" %]
The file you are trying to attach is empty! The file you are trying to attach is empty!
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment