зеркало из https://github.com/mozilla/gecko-dev.git
Bug 281181: [SECURITY] It's way too easy to delete versions/components/milestones etc... - Patch by Fr�d�ric Buclin <LpSolit@gmail.com> r=mkanat a=myk
This commit is contained in:
lpsolit%gmail.com
Родитель
ec1f3c9922
Коммит
f417e3b2fe
|
|
@ -18,6 +18,7 @@
|
|||
# Rights Reserved.
|
||||
#
|
||||
# Contributor(s): Myk Melez <myk@mozilla.org>
|
||||
# Frédéric Buclin <LpSolit@gmail.com>
|
||||
|
||||
################################################################################
|
||||
# Module Initialization
|
||||
|
|
@ -36,6 +37,11 @@ use Bugzilla::Util;
|
|||
|
||||
use Date::Format;
|
||||
use Date::Parse;
|
||||
use File::Basename;
|
||||
|
||||
use base qw(Exporter);
|
||||
|
||||
@Bugzilla::Token::EXPORT = qw(issue_session_token check_token_data delete_token);
|
||||
|
||||
################################################################################
|
||||
# Public Functions
|
||||
|
|
@ -156,7 +162,7 @@ sub IssuePasswordToken {
|
|||
MessageToMTA($message);
|
||||
}
|
||||
|
||||
sub IssueSessionToken {
|
||||
sub issue_session_token {
|
||||
# Generates a random token, adds it to the tokens table, and returns
|
||||
# the token to the caller.
|
||||
|
||||
|
|
@ -243,7 +249,7 @@ sub Cancel {
|
|||
MessageToMTA($message);
|
||||
|
||||
# Delete the token from the database.
|
||||
DeleteToken($token);
|
||||
delete_token($token);
|
||||
}
|
||||
|
||||
sub DeletePasswordTokens {
|
||||
|
|
@ -279,6 +285,7 @@ sub GetTokenData {
|
|||
my $dbh = Bugzilla->dbh;
|
||||
|
||||
return unless defined $token;
|
||||
$token = clean_text($token);
|
||||
trick_taint($token);
|
||||
|
||||
return $dbh->selectrow_array(
|
||||
|
|
@ -288,7 +295,7 @@ sub GetTokenData {
|
|||
}
|
||||
|
||||
# Deletes specified token
|
||||
sub DeleteToken {
|
||||
sub delete_token {
|
||||
my ($token) = @_;
|
||||
my $dbh = Bugzilla->dbh;
|
||||
|
||||
|
|
@ -300,6 +307,50 @@ sub DeleteToken {
|
|||
$dbh->bz_unlock_tables();
|
||||
}
|
||||
|
||||
# Given a token, makes sure it comes from the currently logged in user
|
||||
# and match the expected event. Returns 1 on success, else displays a warning.
|
||||
# Note: this routine must not be called while tables are locked as it will try
|
||||
# to lock some tables itself, see CleanTokenTable().
|
||||
sub check_token_data {
|
||||
my ($token, $expected_action) = @_;
|
||||
my $user = Bugzilla->user;
|
||||
my $template = Bugzilla->template;
|
||||
my $cgi = Bugzilla->cgi;
|
||||
|
||||
my ($creator_id, $date, $token_action) = GetTokenData($token);
|
||||
unless ($creator_id
|
||||
&& $creator_id == $user->id
|
||||
&& $token_action eq $expected_action)
|
||||
{
|
||||
# Something is going wrong. Ask confirmation before processing.
|
||||
# It is possible that someone tried to trick an administrator.
|
||||
# In this case, we want to know his name!
|
||||
require Bugzilla::User;
|
||||
|
||||
my $vars = {};
|
||||
$vars->{'abuser'} = Bugzilla::User->new($creator_id)->identity;
|
||||
$vars->{'token_action'} = $token_action;
|
||||
$vars->{'expected_action'} = $expected_action;
|
||||
$vars->{'script_name'} = basename($0);
|
||||
|
||||
# Now is a good time to remove old tokens from the DB.
|
||||
CleanTokenTable();
|
||||
|
||||
# If no token was found, create a valid token for the given action.
|
||||
unless ($creator_id) {
|
||||
$token = issue_session_token($expected_action);
|
||||
$cgi->param('token', $token);
|
||||
}
|
||||
|
||||
print $cgi->header();
|
||||
|
||||
$template->process('admin/confirm-action.html.tmpl', $vars)
|
||||
|| ThrowTemplateError($template->error());
|
||||
exit;
|
||||
}
|
||||
return 1;
|
||||
}
|
||||
|
||||
################################################################################
|
||||
# Internal Functions
|
||||
################################################################################
|
||||
|
|
|
|||
|
|
@ -825,7 +825,7 @@ sub delete_attachment {
|
|||
}
|
||||
|
||||
# Now delete the token.
|
||||
Bugzilla::Token::DeleteToken($token);
|
||||
delete_token($token);
|
||||
|
||||
# Paste the reason provided by the admin into a comment.
|
||||
AppendComment($bug_id, $user->id, $msg);
|
||||
|
|
@ -835,7 +835,7 @@ sub delete_attachment {
|
|||
}
|
||||
else {
|
||||
# Create a token.
|
||||
$token = Bugzilla::Token::IssueSessionToken('attachment' . $attach_id);
|
||||
$token = issue_session_token('attachment' . $attach_id);
|
||||
|
||||
$vars->{'a'} = $attachment;
|
||||
$vars->{'token'} = $token;
|
||||
|
|
|
|||
|
|
@ -28,6 +28,7 @@ use Bugzilla::Constants;
|
|||
use Bugzilla::Util;
|
||||
use Bugzilla::Error;
|
||||
use Bugzilla::Classification;
|
||||
use Bugzilla::Token;
|
||||
|
||||
my $dbh = Bugzilla->dbh;
|
||||
my $cgi = Bugzilla->cgi;
|
||||
|
|
@ -68,7 +69,8 @@ ThrowUserError("auth_classification_not_enabled")
|
|||
#
|
||||
my $action = trim($cgi->param('action') || '');
|
||||
my $class_name = trim($cgi->param('classification') || '');
|
||||
|
||||
my $token = $cgi->param('token');
|
||||
|
||||
#
|
||||
# action='' -> Show nice list of classifications
|
||||
#
|
||||
|
|
@ -88,6 +90,7 @@ unless ($action) {
|
|||
#
|
||||
|
||||
if ($action eq 'add') {
|
||||
$vars->{'token'} = issue_session_token('add_classification');
|
||||
LoadTemplate($action);
|
||||
}
|
||||
|
||||
|
|
@ -96,6 +99,7 @@ if ($action eq 'add') {
|
|||
#
|
||||
|
||||
if ($action eq 'new') {
|
||||
check_token_data($token, 'add_classification');
|
||||
|
||||
$class_name || ThrowUserError("classification_not_specified");
|
||||
|
||||
|
|
@ -124,6 +128,7 @@ if ($action eq 'new') {
|
|||
|
||||
$vars->{'classification'} = $class_name;
|
||||
|
||||
delete_token($token);
|
||||
LoadTemplate($action);
|
||||
}
|
||||
|
||||
|
|
@ -147,6 +152,7 @@ if ($action eq 'del') {
|
|||
}
|
||||
|
||||
$vars->{'classification'} = $classification;
|
||||
$vars->{'token'} = issue_session_token('delete_classification');
|
||||
|
||||
LoadTemplate($action);
|
||||
}
|
||||
|
|
@ -156,6 +162,7 @@ if ($action eq 'del') {
|
|||
#
|
||||
|
||||
if ($action eq 'delete') {
|
||||
check_token_data($token, 'delete_classification');
|
||||
|
||||
my $classification =
|
||||
Bugzilla::Classification::check_classification($class_name);
|
||||
|
|
@ -179,6 +186,7 @@ if ($action eq 'delete') {
|
|||
|
||||
$vars->{'classification'} = $classification;
|
||||
|
||||
delete_token($token);
|
||||
LoadTemplate($action);
|
||||
}
|
||||
|
||||
|
|
@ -194,6 +202,7 @@ if ($action eq 'edit') {
|
|||
Bugzilla::Classification::check_classification($class_name);
|
||||
|
||||
$vars->{'classification'} = $classification;
|
||||
$vars->{'token'} = issue_session_token('edit_classification');
|
||||
|
||||
LoadTemplate($action);
|
||||
}
|
||||
|
|
@ -203,6 +212,7 @@ if ($action eq 'edit') {
|
|||
#
|
||||
|
||||
if ($action eq 'update') {
|
||||
check_token_data($token, 'edit_classification');
|
||||
|
||||
$class_name || ThrowUserError("classification_not_specified");
|
||||
|
||||
|
|
@ -254,6 +264,7 @@ if ($action eq 'update') {
|
|||
|
||||
$dbh->bz_unlock_tables();
|
||||
|
||||
delete_token($token);
|
||||
LoadTemplate($action);
|
||||
}
|
||||
|
||||
|
|
@ -270,25 +281,30 @@ if ($action eq 'reclassify') {
|
|||
WHERE name = ?");
|
||||
|
||||
if (defined $cgi->param('add_products')) {
|
||||
check_token_data($token, 'reclassify_classifications');
|
||||
if (defined $cgi->param('prodlist')) {
|
||||
foreach my $prod ($cgi->param("prodlist")) {
|
||||
trick_taint($prod);
|
||||
$sth->execute($classification->id, $prod);
|
||||
}
|
||||
}
|
||||
delete_token($token);
|
||||
} elsif (defined $cgi->param('remove_products')) {
|
||||
check_token_data($token, 'reclassify_classifications');
|
||||
if (defined $cgi->param('myprodlist')) {
|
||||
foreach my $prod ($cgi->param("myprodlist")) {
|
||||
trick_taint($prod);
|
||||
$sth->execute(1,$prod);
|
||||
}
|
||||
}
|
||||
delete_token($token);
|
||||
}
|
||||
|
||||
my @classifications =
|
||||
Bugzilla::Classification::get_all_classifications;
|
||||
$vars->{'classifications'} = \@classifications;
|
||||
$vars->{'classification'} = $classification;
|
||||
$vars->{'token'} = issue_session_token('reclassify_classifications');
|
||||
|
||||
LoadTemplate($action);
|
||||
}
|
||||
|
|
|
|||
|
|
@ -39,6 +39,7 @@ use Bugzilla::User;
|
|||
use Bugzilla::Product;
|
||||
use Bugzilla::Component;
|
||||
use Bugzilla::Bug;
|
||||
use Bugzilla::Token;
|
||||
|
||||
###############
|
||||
# Subroutines #
|
||||
|
|
@ -86,6 +87,7 @@ my $product_name = trim($cgi->param('product') || '');
|
|||
my $comp_name = trim($cgi->param('component') || '');
|
||||
my $action = trim($cgi->param('action') || '');
|
||||
my $showbugcounts = (defined $cgi->param('showbugcounts'));
|
||||
my $token = $cgi->param('token');
|
||||
|
||||
#
|
||||
# product = '' -> Show nice list of products
|
||||
|
|
@ -130,7 +132,7 @@ unless ($action) {
|
|||
#
|
||||
|
||||
if ($action eq 'add') {
|
||||
|
||||
$vars->{'token'} = issue_session_token('add_component');
|
||||
$vars->{'product'} = $product;
|
||||
$template->process("admin/components/create.html.tmpl", $vars)
|
||||
|| ThrowTemplateError($template->error());
|
||||
|
|
@ -145,7 +147,7 @@ if ($action eq 'add') {
|
|||
#
|
||||
|
||||
if ($action eq 'new') {
|
||||
|
||||
check_token_data($token, 'add_component');
|
||||
# Do the user matching
|
||||
Bugzilla::User::match_field ($cgi, {
|
||||
'initialowner' => { 'type' => 'single' },
|
||||
|
|
@ -244,6 +246,8 @@ if ($action eq 'new') {
|
|||
|
||||
$vars->{'comp'} = $component;
|
||||
$vars->{'product'} = $product;
|
||||
delete_token($token);
|
||||
|
||||
$template->process("admin/components/created.html.tmpl",
|
||||
$vars)
|
||||
|| ThrowTemplateError($template->error());
|
||||
|
|
@ -260,7 +264,7 @@ if ($action eq 'new') {
|
|||
#
|
||||
|
||||
if ($action eq 'del') {
|
||||
|
||||
$vars->{'token'} = issue_session_token('delete_component');
|
||||
$vars->{'comp'} =
|
||||
Bugzilla::Component::check_component($product, $comp_name);
|
||||
|
||||
|
|
@ -279,7 +283,7 @@ if ($action eq 'del') {
|
|||
#
|
||||
|
||||
if ($action eq 'delete') {
|
||||
|
||||
check_token_data($token, 'delete_component');
|
||||
my $component =
|
||||
Bugzilla::Component::check_component($product, $comp_name);
|
||||
|
||||
|
|
@ -313,6 +317,8 @@ if ($action eq 'delete') {
|
|||
|
||||
$vars->{'comp'} = $component;
|
||||
$vars->{'product'} = $product;
|
||||
delete_token($token);
|
||||
|
||||
$template->process("admin/components/deleted.html.tmpl", $vars)
|
||||
|| ThrowTemplateError($template->error());
|
||||
exit;
|
||||
|
|
@ -327,7 +333,7 @@ if ($action eq 'delete') {
|
|||
#
|
||||
|
||||
if ($action eq 'edit') {
|
||||
|
||||
$vars->{'token'} = issue_session_token('edit_component');
|
||||
my $component =
|
||||
Bugzilla::Component::check_component($product, $comp_name);
|
||||
$vars->{'comp'} = $component;
|
||||
|
|
@ -351,7 +357,7 @@ if ($action eq 'edit') {
|
|||
#
|
||||
|
||||
if ($action eq 'update') {
|
||||
|
||||
check_token_data($token, 'edit_component');
|
||||
# Do the user matching
|
||||
Bugzilla::User::match_field ($cgi, {
|
||||
'initialowner' => { 'type' => 'single' },
|
||||
|
|
@ -459,6 +465,8 @@ if ($action eq 'update') {
|
|||
$vars->{'initial_cc_names'} =
|
||||
join(', ', map($_->login, @{$component->initial_cc}));
|
||||
$vars->{'product'} = $product;
|
||||
delete_token($token);
|
||||
|
||||
$template->process("admin/components/updated.html.tmpl",
|
||||
$vars)
|
||||
|| ThrowTemplateError($template->error());
|
||||
|
|
|
|||
|
|
@ -23,6 +23,7 @@ use Bugzilla::Constants;
|
|||
use Bugzilla::Error;
|
||||
use Bugzilla::Util;
|
||||
use Bugzilla::Field;
|
||||
use Bugzilla::Token;
|
||||
|
||||
my $cgi = Bugzilla->cgi;
|
||||
my $template = Bugzilla->template;
|
||||
|
|
@ -36,6 +37,7 @@ $user->in_group('admin')
|
|||
object => 'custom_fields'});
|
||||
|
||||
my $action = trim($cgi->param('action') || '');
|
||||
my $token = $cgi->param('token');
|
||||
|
||||
print $cgi->header();
|
||||
|
||||
|
|
@ -46,10 +48,13 @@ if (!$action) {
|
|||
}
|
||||
# Interface to add a new custom field.
|
||||
elsif ($action eq 'add') {
|
||||
$vars->{'token'} = issue_session_token('add_field');
|
||||
|
||||
$template->process('admin/custom_fields/create.html.tmpl', $vars)
|
||||
|| ThrowTemplateError($template->error());
|
||||
}
|
||||
elsif ($action eq 'new') {
|
||||
check_token_data($token, 'add_field');
|
||||
my $name = clean_text($cgi->param('name') || '');
|
||||
my $desc = clean_text($cgi->param('desc') || '');
|
||||
my $type = trim($cgi->param('type') || FIELD_TYPE_FREETEXT);
|
||||
|
|
@ -93,6 +98,7 @@ elsif ($action eq 'new') {
|
|||
$vars->{'is_obsolete'} = $cgi->param('obsolete') ? 1 : 0;
|
||||
|
||||
Bugzilla::Field::create_or_update($vars);
|
||||
delete_token($token);
|
||||
|
||||
$vars->{'message'} = 'custom_field_created';
|
||||
|
||||
|
|
@ -109,11 +115,13 @@ elsif ($action eq 'edit') {
|
|||
$field || ThrowUserError('customfield_nonexistent', {'name' => $name});
|
||||
|
||||
$vars->{'field'} = $field;
|
||||
$vars->{'token'} = issue_session_token('edit_field');
|
||||
|
||||
$template->process('admin/custom_fields/edit.html.tmpl', $vars)
|
||||
|| ThrowTemplateError($template->error());
|
||||
}
|
||||
elsif ($action eq 'update') {
|
||||
check_token_data($token, 'edit_field');
|
||||
my $name = $cgi->param('name');
|
||||
my $desc = clean_text($cgi->param('desc') || '');
|
||||
my $sortkey = $cgi->param('sortkey') || 0;
|
||||
|
|
@ -144,18 +152,13 @@ elsif ($action eq 'update') {
|
|||
$vars->{'is_obsolete'} = $cgi->param('obsolete') ? 1 : 0;
|
||||
|
||||
Bugzilla::Field::create_or_update($vars);
|
||||
delete_token($token);
|
||||
|
||||
$vars->{'message'} = 'custom_field_updated';
|
||||
|
||||
$template->process('admin/custom_fields/list.html.tmpl', $vars)
|
||||
|| ThrowTemplateError($template->error());
|
||||
}
|
||||
elsif ($action eq 'del') {
|
||||
die "not yet implemented...\n";
|
||||
}
|
||||
elsif ($action eq 'delete') {
|
||||
die "not yet implemented...\n";
|
||||
}
|
||||
else {
|
||||
ThrowUserError('no_valid_action', {'field' => 'custom_field'});
|
||||
}
|
||||
|
|
|
|||
|
|
@ -41,6 +41,7 @@ use Bugzilla::Product;
|
|||
use Bugzilla::Component;
|
||||
use Bugzilla::Bug;
|
||||
use Bugzilla::Attachment;
|
||||
use Bugzilla::Token;
|
||||
|
||||
local our $cgi = Bugzilla->cgi;
|
||||
local our $template = Bugzilla->template;
|
||||
|
|
@ -63,11 +64,12 @@ $user->in_group('editcomponents')
|
|||
|
||||
# Determine whether to use the action specified by the user or the default.
|
||||
my $action = $cgi->param('action') || 'list';
|
||||
my $token = $cgi->param('token');
|
||||
my @categoryActions;
|
||||
|
||||
if (@categoryActions = grep(/^categoryAction-.+/, $cgi->param())) {
|
||||
$categoryActions[0] =~ s/^categoryAction-//;
|
||||
processCategoryChange($categoryActions[0]);
|
||||
processCategoryChange($categoryActions[0], $token);
|
||||
exit;
|
||||
}
|
||||
|
||||
|
|
@ -75,11 +77,11 @@ if ($action eq 'list') { list(); }
|
|||
elsif ($action eq 'enter') { edit($action); }
|
||||
elsif ($action eq 'copy') { edit($action); }
|
||||
elsif ($action eq 'edit') { edit($action); }
|
||||
elsif ($action eq 'insert') { insert(); }
|
||||
elsif ($action eq 'update') { update(); }
|
||||
elsif ($action eq 'insert') { insert($token); }
|
||||
elsif ($action eq 'update') { update($token); }
|
||||
elsif ($action eq 'confirmdelete') { confirmDelete(); }
|
||||
elsif ($action eq 'delete') { deleteType(); }
|
||||
elsif ($action eq 'deactivate') { deactivate(); }
|
||||
elsif ($action eq 'delete') { deleteType(undef, $token); }
|
||||
elsif ($action eq 'deactivate') { deactivate($token); }
|
||||
else {
|
||||
ThrowCodeError("action_unrecognized", { action => $action });
|
||||
}
|
||||
|
|
@ -167,9 +169,11 @@ sub edit {
|
|||
$vars->{'last_action'} = $cgi->param('action');
|
||||
if ($cgi->param('action') eq 'enter' || $cgi->param('action') eq 'copy') {
|
||||
$vars->{'action'} = "insert";
|
||||
$vars->{'token'} = issue_session_token('add_flagtype');
|
||||
}
|
||||
else {
|
||||
$vars->{'action'} = "update";
|
||||
$vars->{'token'} = issue_session_token('edit_flagtype');
|
||||
}
|
||||
|
||||
# If copying or editing an existing flag type, retrieve it.
|
||||
|
|
@ -197,7 +201,7 @@ sub edit {
|
|||
}
|
||||
|
||||
sub processCategoryChange {
|
||||
my $categoryAction = shift;
|
||||
my ($categoryAction, $token) = @_;
|
||||
validateIsActive();
|
||||
validateIsRequestable();
|
||||
validateIsRequesteeble();
|
||||
|
|
@ -252,7 +256,8 @@ sub processCategoryChange {
|
|||
$type->{'inclusions'} = \%inclusions;
|
||||
$type->{'exclusions'} = \%exclusions;
|
||||
$vars->{'type'} = $type;
|
||||
|
||||
$vars->{'token'} = $token;
|
||||
|
||||
# Return the appropriate HTTP response headers.
|
||||
print $cgi->header();
|
||||
|
||||
|
|
@ -287,6 +292,8 @@ sub clusion_array_to_hash {
|
|||
}
|
||||
|
||||
sub insert {
|
||||
my $token = shift;
|
||||
check_token_data($token, 'add_flagtype');
|
||||
my $name = validateName();
|
||||
my $description = validateDescription();
|
||||
my $cc_list = validateCCList();
|
||||
|
|
@ -329,6 +336,7 @@ sub insert {
|
|||
|
||||
$vars->{'name'} = $cgi->param('name');
|
||||
$vars->{'message'} = "flag_type_created";
|
||||
delete_token($token);
|
||||
|
||||
# Return the appropriate HTTP response headers.
|
||||
print $cgi->header();
|
||||
|
|
@ -340,6 +348,8 @@ sub insert {
|
|||
|
||||
|
||||
sub update {
|
||||
my $token = shift;
|
||||
check_token_data($token, 'edit_flagtype');
|
||||
my $flag_type = validateID();
|
||||
my $id = $flag_type->id;
|
||||
my $name = validateName();
|
||||
|
|
@ -426,6 +436,7 @@ sub update {
|
|||
|
||||
$vars->{'name'} = $cgi->param('name');
|
||||
$vars->{'message'} = "flag_type_changes_saved";
|
||||
delete_token($token);
|
||||
|
||||
# Return the appropriate HTTP response headers.
|
||||
print $cgi->header();
|
||||
|
|
@ -441,7 +452,7 @@ sub confirmDelete {
|
|||
|
||||
if ($flag_type->flag_count) {
|
||||
$vars->{'flag_type'} = $flag_type;
|
||||
|
||||
$vars->{'token'} = issue_session_token('delete_flagtype');
|
||||
# Return the appropriate HTTP response headers.
|
||||
print $cgi->header();
|
||||
|
||||
|
|
@ -450,13 +461,18 @@ sub confirmDelete {
|
|||
|| ThrowTemplateError($template->error());
|
||||
}
|
||||
else {
|
||||
deleteType($flag_type);
|
||||
# We should *always* ask if the admin really wants to delete
|
||||
# a flagtype, even if there is no flag belonging to this type.
|
||||
my $token = issue_session_token('delete_flagtype');
|
||||
deleteType($flag_type, $token);
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
sub deleteType {
|
||||
my $flag_type = shift || validateID();
|
||||
my $token = shift;
|
||||
check_token_data($token, 'delete_flagtype');
|
||||
my $id = $flag_type->id;
|
||||
my $dbh = Bugzilla->dbh;
|
||||
|
||||
|
|
@ -474,6 +490,7 @@ sub deleteType {
|
|||
$dbh->bz_unlock_tables();
|
||||
|
||||
$vars->{'message'} = "flag_type_deleted";
|
||||
delete_token($token);
|
||||
|
||||
# Return the appropriate HTTP response headers.
|
||||
print $cgi->header();
|
||||
|
|
@ -485,6 +502,8 @@ sub deleteType {
|
|||
|
||||
|
||||
sub deactivate {
|
||||
my $token = shift;
|
||||
check_token_data($token, 'delete_flagtype');
|
||||
my $flag_type = validateID();
|
||||
validateIsActive();
|
||||
|
||||
|
|
@ -496,6 +515,7 @@ sub deactivate {
|
|||
|
||||
$vars->{'message'} = "flag_type_deactivated";
|
||||
$vars->{'flag_type'} = $flag_type;
|
||||
delete_token($token);
|
||||
|
||||
# Return the appropriate HTTP response headers.
|
||||
print $cgi->header();
|
||||
|
|
|
|||
|
|
@ -35,6 +35,7 @@ use Bugzilla::Error;
|
|||
use Bugzilla::Group;
|
||||
use Bugzilla::Product;
|
||||
use Bugzilla::User;
|
||||
use Bugzilla::Token;
|
||||
|
||||
my $cgi = Bugzilla->cgi;
|
||||
my $dbh = Bugzilla->dbh;
|
||||
|
|
@ -51,6 +52,7 @@ $user->in_group('creategroups')
|
|||
object => "groups"});
|
||||
|
||||
my $action = trim($cgi->param('action') || '');
|
||||
my $token = $cgi->param('token');
|
||||
|
||||
# Add missing entries in bug_group_map for bugs created while
|
||||
# a mandatory group was disabled and which is now enabled again.
|
||||
|
|
@ -220,6 +222,7 @@ if ($action eq 'changeform') {
|
|||
$vars->{'isactive'} = $isactive;
|
||||
$vars->{'isbuggroup'} = $isbuggroup;
|
||||
$vars->{'groups'} = \@groups;
|
||||
$vars->{'token'} = issue_session_token('edit_group');
|
||||
|
||||
print $cgi->header();
|
||||
$template->process("admin/groups/edit.html.tmpl", $vars)
|
||||
|
|
@ -235,6 +238,7 @@ if ($action eq 'changeform') {
|
|||
#
|
||||
|
||||
if ($action eq 'add') {
|
||||
$vars->{'token'} = issue_session_token('add_group');
|
||||
print $cgi->header();
|
||||
$template->process("admin/groups/create.html.tmpl", $vars)
|
||||
|| ThrowTemplateError($template->error());
|
||||
|
|
@ -249,6 +253,7 @@ if ($action eq 'add') {
|
|||
#
|
||||
|
||||
if ($action eq 'new') {
|
||||
check_token_data($token, 'add_group');
|
||||
# Check that a not already used group name is given, that
|
||||
# a description is also given and check if the regular
|
||||
# expression is valid (if any).
|
||||
|
|
@ -284,6 +289,7 @@ if ($action eq 'new') {
|
|||
undef, ($gid, CONTROLMAPSHOWN, CONTROLMAPNA));
|
||||
}
|
||||
Bugzilla::Group::RederiveRegexp($regexp, $gid);
|
||||
delete_token($token);
|
||||
|
||||
print $cgi->header();
|
||||
$template->process("admin/groups/created.html.tmpl", $vars)
|
||||
|
|
@ -356,6 +362,7 @@ if ($action eq 'del') {
|
|||
$vars->{'hasflags'} = $hasflags;
|
||||
$vars->{'shared_queries'} = $shared_queries;
|
||||
$vars->{'buglist'} = $buglist;
|
||||
$vars->{'token'} = issue_session_token('delete_group');
|
||||
|
||||
print $cgi->header();
|
||||
$template->process("admin/groups/delete.html.tmpl", $vars)
|
||||
|
|
@ -369,6 +376,7 @@ if ($action eq 'del') {
|
|||
#
|
||||
|
||||
if ($action eq 'delete') {
|
||||
check_token_data($token, 'delete_group');
|
||||
# Check that an existing group ID is given
|
||||
my $gid = CheckGroupID($cgi->param('group'));
|
||||
my ($name, $isbuggroup) =
|
||||
|
|
@ -455,6 +463,8 @@ if ($action eq 'delete') {
|
|||
$dbh->do('DELETE FROM groups WHERE id = ?',
|
||||
undef, $gid);
|
||||
|
||||
delete_token($token);
|
||||
|
||||
print $cgi->header();
|
||||
$template->process("admin/groups/deleted.html.tmpl", $vars)
|
||||
|| ThrowTemplateError($template->error());
|
||||
|
|
@ -467,6 +477,7 @@ if ($action eq 'delete') {
|
|||
#
|
||||
|
||||
if ($action eq 'postchanges') {
|
||||
check_token_data($token, 'edit_group');
|
||||
# ZLL: Bug 181589: we need to have something to remove explicitly listed users from
|
||||
# groups in order for the conversion to 2.18 groups to work
|
||||
my $action;
|
||||
|
|
@ -488,7 +499,8 @@ if ($action eq 'postchanges') {
|
|||
if ($action == 2) {
|
||||
$vars->{'regexp'} = $regexp;
|
||||
}
|
||||
|
||||
delete_token($token);
|
||||
|
||||
print $cgi->header();
|
||||
$template->process("admin/groups/change.html.tmpl", $vars)
|
||||
|| ThrowTemplateError($template->error());
|
||||
|
|
|
|||
|
|
@ -28,6 +28,7 @@ use Bugzilla::Constants;
|
|||
use Bugzilla::Util;
|
||||
use Bugzilla::Error;
|
||||
use Bugzilla::Keyword;
|
||||
use Bugzilla::Token;
|
||||
|
||||
my $cgi = Bugzilla->cgi;
|
||||
my $dbh = Bugzilla->dbh;
|
||||
|
|
@ -49,6 +50,8 @@ $user->in_group('editkeywords')
|
|||
|
||||
my $action = trim($cgi->param('action') || '');
|
||||
my $key_id = $cgi->param('id');
|
||||
my $token = $cgi->param('token');
|
||||
|
||||
$vars->{'action'} = $action;
|
||||
|
||||
|
||||
|
|
@ -64,6 +67,8 @@ if ($action eq "") {
|
|||
|
||||
|
||||
if ($action eq 'add') {
|
||||
$vars->{'token'} = issue_session_token('add_keyword');
|
||||
|
||||
print $cgi->header();
|
||||
|
||||
$template->process("admin/keywords/create.html.tmpl", $vars)
|
||||
|
|
@ -76,12 +81,15 @@ if ($action eq 'add') {
|
|||
# action='new' -> add keyword entered in the 'action=add' screen
|
||||
#
|
||||
if ($action eq 'new') {
|
||||
check_token_data($token, 'add_keyword');
|
||||
my $name = $cgi->param('name') || '';
|
||||
my $desc = $cgi->param('description') || '';
|
||||
|
||||
my $keyword = Bugzilla::Keyword->create(
|
||||
{ name => $name, description => $desc });
|
||||
|
||||
delete_token($token);
|
||||
|
||||
print $cgi->header();
|
||||
|
||||
$vars->{'name'} = $keyword->name;
|
||||
|
|
@ -104,6 +112,7 @@ if ($action eq 'edit') {
|
|||
|| ThrowCodeError('invalid_keyword_id', { id => $key_id });
|
||||
|
||||
$vars->{'keyword'} = $keyword;
|
||||
$vars->{'token'} = issue_session_token('edit_keyword');
|
||||
|
||||
print $cgi->header();
|
||||
$template->process("admin/keywords/edit.html.tmpl", $vars)
|
||||
|
|
@ -117,6 +126,7 @@ if ($action eq 'edit') {
|
|||
#
|
||||
|
||||
if ($action eq 'update') {
|
||||
check_token_data($token, 'edit_keyword');
|
||||
my $keyword = new Bugzilla::Keyword($key_id)
|
||||
|| ThrowCodeError('invalid_keyword_id', { id => $key_id });
|
||||
|
||||
|
|
@ -124,6 +134,8 @@ if ($action eq 'update') {
|
|||
$keyword->set_description($cgi->param('description'));
|
||||
$keyword->update();
|
||||
|
||||
delete_token($token);
|
||||
|
||||
print $cgi->header();
|
||||
|
||||
$vars->{'keyword'} = $keyword;
|
||||
|
|
@ -140,16 +152,25 @@ if ($action eq 'delete') {
|
|||
|
||||
$vars->{'keyword'} = $keyword;
|
||||
|
||||
# We need this token even if there is no bug using this keyword.
|
||||
$token = issue_session_token('delete_keyword');
|
||||
|
||||
if (!$cgi->param('reallydelete') && $keyword->bug_count) {
|
||||
$vars->{'token'} = $token;
|
||||
|
||||
print $cgi->header();
|
||||
$template->process("admin/keywords/confirm-delete.html.tmpl", $vars)
|
||||
|| ThrowTemplateError($template->error());
|
||||
exit;
|
||||
}
|
||||
# We cannot do this check earlier as we have to check 'reallydelete' first.
|
||||
check_token_data($token, 'delete_keyword');
|
||||
|
||||
$dbh->do('DELETE FROM keywords WHERE keywordid = ?', undef, $keyword->id);
|
||||
$dbh->do('DELETE FROM keyworddefs WHERE id = ?', undef, $keyword->id);
|
||||
|
||||
delete_token($token);
|
||||
|
||||
print $cgi->header();
|
||||
|
||||
$template->process("admin/keywords/rebuild-cache.html.tmpl", $vars)
|
||||
|
|
|
|||
|
|
@ -26,6 +26,7 @@ use Bugzilla::Error;
|
|||
use Bugzilla::Product;
|
||||
use Bugzilla::Milestone;
|
||||
use Bugzilla::Bug;
|
||||
use Bugzilla::Token;
|
||||
|
||||
my $cgi = Bugzilla->cgi;
|
||||
my $dbh = Bugzilla->dbh;
|
||||
|
|
@ -54,6 +55,7 @@ my $milestone_name = trim($cgi->param('milestone') || '');
|
|||
my $sortkey = trim($cgi->param('sortkey') || 0);
|
||||
my $action = trim($cgi->param('action') || '');
|
||||
my $showbugcounts = (defined $cgi->param('showbugcounts'));
|
||||
my $token = $cgi->param('token');
|
||||
|
||||
#
|
||||
# product = '' -> Show nice list of products
|
||||
|
|
@ -101,7 +103,7 @@ unless ($action) {
|
|||
#
|
||||
|
||||
if ($action eq 'add') {
|
||||
|
||||
$vars->{'token'} = issue_session_token('add_milestone');
|
||||
$vars->{'product'} = $product;
|
||||
$template->process("admin/milestones/create.html.tmpl",
|
||||
$vars)
|
||||
|
|
@ -117,7 +119,7 @@ if ($action eq 'add') {
|
|||
#
|
||||
|
||||
if ($action eq 'new') {
|
||||
|
||||
check_token_data($token, 'add_milestone');
|
||||
$milestone_name || ThrowUserError('milestone_blank_name');
|
||||
|
||||
if (length($milestone_name) > 20) {
|
||||
|
|
@ -145,6 +147,8 @@ if ($action eq 'new') {
|
|||
|
||||
$milestone = new Bugzilla::Milestone($product->id,
|
||||
$milestone_name);
|
||||
delete_token($token);
|
||||
|
||||
$vars->{'milestone'} = $milestone;
|
||||
$vars->{'product'} = $product;
|
||||
$template->process("admin/milestones/created.html.tmpl",
|
||||
|
|
@ -174,6 +178,7 @@ if ($action eq 'del') {
|
|||
if ($product->default_milestone eq $milestone->name) {
|
||||
ThrowUserError("milestone_is_default", $vars);
|
||||
}
|
||||
$vars->{'token'} = issue_session_token('delete_milestone');
|
||||
|
||||
$template->process("admin/milestones/confirm-delete.html.tmpl", $vars)
|
||||
|| ThrowTemplateError($template->error());
|
||||
|
|
@ -187,7 +192,7 @@ if ($action eq 'del') {
|
|||
#
|
||||
|
||||
if ($action eq 'delete') {
|
||||
|
||||
check_token_data($token, 'delete_milestone');
|
||||
my $milestone =
|
||||
Bugzilla::Milestone::check_milestone($product,
|
||||
$milestone_name);
|
||||
|
|
@ -223,6 +228,8 @@ if ($action eq 'delete') {
|
|||
$dbh->do("DELETE FROM milestones WHERE product_id = ? AND value = ?",
|
||||
undef, ($product->id, $milestone->name));
|
||||
|
||||
delete_token($token);
|
||||
|
||||
$template->process("admin/milestones/deleted.html.tmpl", $vars)
|
||||
|| ThrowTemplateError($template->error());
|
||||
exit;
|
||||
|
|
@ -244,6 +251,7 @@ if ($action eq 'edit') {
|
|||
|
||||
$vars->{'milestone'} = $milestone;
|
||||
$vars->{'product'} = $product;
|
||||
$vars->{'token'} = issue_session_token('edit_milestone');
|
||||
|
||||
$template->process("admin/milestones/edit.html.tmpl",
|
||||
$vars)
|
||||
|
|
@ -259,7 +267,7 @@ if ($action eq 'edit') {
|
|||
#
|
||||
|
||||
if ($action eq 'update') {
|
||||
|
||||
check_token_data($token, 'edit_milestone');
|
||||
my $milestone_old_name = trim($cgi->param('milestoneold') || '');
|
||||
my $milestone_old =
|
||||
Bugzilla::Milestone::check_milestone($product,
|
||||
|
|
@ -338,6 +346,8 @@ if ($action eq 'update') {
|
|||
my $milestone =
|
||||
Bugzilla::Milestone::check_milestone($product,
|
||||
$milestone_name);
|
||||
delete_token($token);
|
||||
|
||||
$vars->{'milestone'} = $milestone;
|
||||
$vars->{'product'} = $product;
|
||||
$template->process("admin/milestones/updated.html.tmpl",
|
||||
|
|
|
|||
|
|
@ -31,6 +31,7 @@ use Bugzilla::Config qw(:admin);
|
|||
use Bugzilla::Config::Common;
|
||||
use Bugzilla::Util;
|
||||
use Bugzilla::Error;
|
||||
use Bugzilla::Token;
|
||||
|
||||
my $user = Bugzilla->login(LOGIN_REQUIRED);
|
||||
my $cgi = Bugzilla->cgi;
|
||||
|
|
@ -45,6 +46,7 @@ $user->in_group('tweakparams')
|
|||
object => "parameters"});
|
||||
|
||||
my $action = trim($cgi->param('action') || '');
|
||||
my $token = $cgi->param('token');
|
||||
my $current_panel = $cgi->param('section') || 'core';
|
||||
$current_panel =~ /^([A-Za-z0-9_-]+)$/;
|
||||
$current_panel = $1;
|
||||
|
|
@ -66,6 +68,7 @@ foreach my $panel (Bugzilla::Config::param_panels()) {
|
|||
$vars->{panels} = \@panels;
|
||||
|
||||
if ($action eq 'save' && $current_module) {
|
||||
check_token_data($token, 'edit_parameters');
|
||||
my @changes = ();
|
||||
my @module_param_list = "Bugzilla::Config::${current_module}"->get_param_list(1);
|
||||
|
||||
|
|
@ -125,7 +128,10 @@ if ($action eq 'save' && $current_module) {
|
|||
$vars->{'param_changed'} = \@changes;
|
||||
|
||||
write_params();
|
||||
delete_token($token);
|
||||
}
|
||||
|
||||
$vars->{'token'} = issue_session_token('edit_parameters');
|
||||
|
||||
$template->process("admin/params/editparams.html.tmpl", $vars)
|
||||
|| ThrowTemplateError($template->error());
|
||||
|
|
|
|||
|
|
@ -47,6 +47,7 @@ use Bugzilla::Milestone;
|
|||
use Bugzilla::Group;
|
||||
use Bugzilla::User;
|
||||
use Bugzilla::Field;
|
||||
use Bugzilla::Token;
|
||||
|
||||
#
|
||||
# Preliminary checks:
|
||||
|
|
@ -74,6 +75,7 @@ my $classification_name = trim($cgi->param('classification') || '');
|
|||
my $product_name = trim($cgi->param('product') || '');
|
||||
my $action = trim($cgi->param('action') || '');
|
||||
my $showbugcounts = (defined $cgi->param('showbugcounts'));
|
||||
my $token = $cgi->param('token');
|
||||
|
||||
#
|
||||
# product = '' -> Show nice list of classifications (if
|
||||
|
|
@ -128,12 +130,13 @@ if (!$action && !$product_name) {
|
|||
#
|
||||
|
||||
if ($action eq 'add') {
|
||||
|
||||
if (Bugzilla->params->{'useclassification'}) {
|
||||
my $classification =
|
||||
Bugzilla::Classification::check_classification($classification_name);
|
||||
$vars->{'classification'} = $classification;
|
||||
}
|
||||
$vars->{'token'} = issue_session_token('add_product');
|
||||
|
||||
$template->process("admin/products/create.html.tmpl", $vars)
|
||||
|| ThrowTemplateError($template->error());
|
||||
|
||||
|
|
@ -146,7 +149,7 @@ if ($action eq 'add') {
|
|||
#
|
||||
|
||||
if ($action eq 'new') {
|
||||
|
||||
check_token_data($token, 'add_product');
|
||||
# Cleanups and validity checks
|
||||
|
||||
my $classification_id = 1;
|
||||
|
|
@ -306,6 +309,8 @@ if ($action eq 'new') {
|
|||
$series->writeToDatabase();
|
||||
}
|
||||
}
|
||||
delete_token($token);
|
||||
|
||||
$vars->{'product'} = $product;
|
||||
|
||||
$template->process("admin/products/created.html.tmpl", $vars)
|
||||
|
|
@ -339,6 +344,7 @@ if ($action eq 'del') {
|
|||
}
|
||||
|
||||
$vars->{'product'} = $product;
|
||||
$vars->{'token'} = issue_session_token('delete_product');
|
||||
|
||||
$template->process("admin/products/confirm-delete.html.tmpl", $vars)
|
||||
|| ThrowTemplateError($template->error());
|
||||
|
|
@ -350,6 +356,7 @@ if ($action eq 'del') {
|
|||
#
|
||||
|
||||
if ($action eq 'delete') {
|
||||
check_token_data($token, 'delete_product');
|
||||
# First make sure the product name is valid.
|
||||
my $product = Bugzilla::Product::check_product($product_name);
|
||||
|
||||
|
|
@ -413,6 +420,8 @@ if ($action eq 'delete') {
|
|||
|
||||
$dbh->bz_unlock_tables();
|
||||
|
||||
delete_token($token);
|
||||
|
||||
$template->process("admin/products/deleted.html.tmpl", $vars)
|
||||
|| ThrowTemplateError($template->error());
|
||||
exit;
|
||||
|
|
@ -467,9 +476,9 @@ if ($action eq 'edit' || (!$action && $product_name)) {
|
|||
}
|
||||
}
|
||||
$vars->{'group_controls'} = $group_controls;
|
||||
|
||||
$vars->{'product'} = $product;
|
||||
|
||||
$vars->{'token'} = issue_session_token('edit_product');
|
||||
|
||||
$template->process("admin/products/edit.html.tmpl", $vars)
|
||||
|| ThrowTemplateError($template->error());
|
||||
|
||||
|
|
@ -481,6 +490,7 @@ if ($action eq 'edit' || (!$action && $product_name)) {
|
|||
#
|
||||
|
||||
if ($action eq 'updategroupcontrols') {
|
||||
check_token_data($token, 'edit_group_controls');
|
||||
# First make sure the product name is valid.
|
||||
my $product = Bugzilla::Product::check_product($product_name);
|
||||
|
||||
|
|
@ -722,10 +732,10 @@ if ($action eq 'updategroupcontrols') {
|
|||
}
|
||||
$dbh->bz_unlock_tables();
|
||||
|
||||
delete_token($token);
|
||||
|
||||
$vars->{'removed_na'} = \@removed_na;
|
||||
|
||||
$vars->{'added_mandatory'} = \@added_mandatory;
|
||||
|
||||
$vars->{'product'} = $product;
|
||||
|
||||
$template->process("admin/products/groupcontrol/updated.html.tmpl", $vars)
|
||||
|
|
@ -737,7 +747,7 @@ if ($action eq 'updategroupcontrols') {
|
|||
# action='update' -> update the product
|
||||
#
|
||||
if ($action eq 'update') {
|
||||
|
||||
check_token_data($token, 'edit_product');
|
||||
my $product_old_name = trim($cgi->param('product_old_name') || '');
|
||||
my $description = trim($cgi->param('description') || '');
|
||||
my $disallownew = trim($cgi->param('disallownew') || '');
|
||||
|
|
@ -980,6 +990,7 @@ if ($action eq 'update') {
|
|||
$vars->{'confirmedbugs'} = \@updated_bugs;
|
||||
$vars->{'changer'} = $user->login;
|
||||
}
|
||||
delete_token($token);
|
||||
|
||||
$vars->{'old_product'} = $product_old;
|
||||
$vars->{'product'} = $product;
|
||||
|
|
@ -1022,6 +1033,7 @@ if ($action eq 'editgroupcontrols') {
|
|||
|
||||
$vars->{'product'} = $product;
|
||||
$vars->{'groups'} = $groups;
|
||||
$vars->{'token'} = issue_session_token('edit_group_controls');
|
||||
|
||||
$vars->{'const'} = {
|
||||
'CONTROLMAPNA' => CONTROLMAPNA,
|
||||
|
|
|
|||
|
|
@ -24,6 +24,7 @@ use Bugzilla::Constants;
|
|||
use Bugzilla::Util;
|
||||
use Bugzilla::Error;
|
||||
use Bugzilla::User::Setting;
|
||||
use Bugzilla::Token;
|
||||
|
||||
my $template = Bugzilla->template;
|
||||
local our $vars = {};
|
||||
|
|
@ -79,9 +80,12 @@ $user->in_group('tweakparams')
|
|||
object => "settings"});
|
||||
|
||||
my $action = trim($cgi->param('action') || 'load');
|
||||
my $token = $cgi->param('token');
|
||||
|
||||
if ($action eq 'update') {
|
||||
check_token_data($token, 'edit_settings');
|
||||
SaveSettings();
|
||||
delete_token($token);
|
||||
$vars->{'changes_saved'} = 1;
|
||||
|
||||
$template->process("admin/settings/updated.html.tmpl", $vars)
|
||||
|
|
@ -92,6 +96,7 @@ if ($action eq 'update') {
|
|||
|
||||
if ($action eq 'load') {
|
||||
LoadSettings();
|
||||
$vars->{'token'} = issue_session_token('edit_settings');
|
||||
|
||||
$template->process("admin/settings/edit.html.tmpl", $vars)
|
||||
|| ThrowTemplateError($template->error());
|
||||
|
|
|
|||
|
|
@ -33,6 +33,7 @@ use Bugzilla::BugMail;
|
|||
use Bugzilla::Flag;
|
||||
use Bugzilla::Field;
|
||||
use Bugzilla::Group;
|
||||
use Bugzilla::Token;
|
||||
|
||||
my $user = Bugzilla->login(LOGIN_REQUIRED);
|
||||
|
||||
|
|
@ -57,6 +58,7 @@ print $cgi->header();
|
|||
my $action = $cgi->param('action') || 'search';
|
||||
my $otherUserID = $cgi->param('userid');
|
||||
my $otherUserLogin = $cgi->param('user');
|
||||
my $token = $cgi->param('token');
|
||||
|
||||
# Prefill template vars with data used in all or nearly all templates
|
||||
$vars->{'editusers'} = $editusers;
|
||||
|
|
@ -183,6 +185,8 @@ if ($action eq 'search') {
|
|||
action => "add",
|
||||
object => "users"});
|
||||
|
||||
$vars->{'token'} = issue_session_token('add_user');
|
||||
|
||||
$template->process('admin/users/create.html.tmpl', $vars)
|
||||
|| ThrowTemplateError($template->error());
|
||||
|
||||
|
|
@ -192,6 +196,8 @@ if ($action eq 'search') {
|
|||
action => "add",
|
||||
object => "users"});
|
||||
|
||||
check_token_data($token, 'add_user');
|
||||
|
||||
my $new_user = Bugzilla::User->create({
|
||||
login_name => scalar $cgi->param('login'),
|
||||
cryptpassword => scalar $cgi->param('password'),
|
||||
|
|
@ -201,6 +207,10 @@ if ($action eq 'search') {
|
|||
|
||||
userDataToVars($new_user->id);
|
||||
|
||||
delete_token($token);
|
||||
|
||||
# We already display the updated page. We have to recreate a token now.
|
||||
$vars->{'token'} = issue_session_token('edit_user');
|
||||
$vars->{'message'} = 'account_created';
|
||||
$template->process('admin/users/edit.html.tmpl', $vars)
|
||||
|| ThrowTemplateError($template->error());
|
||||
|
|
@ -212,6 +222,7 @@ if ($action eq 'search') {
|
|||
|
||||
###########################################################################
|
||||
} elsif ($action eq 'update') {
|
||||
check_token_data($token, 'edit_user');
|
||||
my $otherUser = check_user($otherUserID, $otherUserLogin);
|
||||
$otherUserID = $otherUser->id;
|
||||
|
||||
|
|
@ -388,6 +399,7 @@ if ($action eq 'search') {
|
|||
|
||||
# XXX: userDataToVars may be off when editing ourselves.
|
||||
userDataToVars($otherUserID);
|
||||
delete_token($token);
|
||||
|
||||
$vars->{'message'} = 'account_updated';
|
||||
$vars->{'loginold'} = $otherUser->login;
|
||||
|
|
@ -396,6 +408,9 @@ if ($action eq 'search') {
|
|||
$vars->{'groups_removed_from'} = \@groupsRemovedFrom;
|
||||
$vars->{'groups_granted_rights_to_bless'} = \@groupsGrantedRightsToBless;
|
||||
$vars->{'groups_denied_rights_to_bless'} = \@groupsDeniedRightsToBless;
|
||||
# We already display the updated page. We have to recreate a token now.
|
||||
$vars->{'token'} = issue_session_token('edit_user');
|
||||
|
||||
$template->process('admin/users/edit.html.tmpl', $vars)
|
||||
|| ThrowTemplateError($template->error());
|
||||
|
||||
|
|
@ -479,12 +494,14 @@ if ($action eq 'search') {
|
|||
AND mailto_type = ?
|
||||
},
|
||||
undef, ($otherUserID, MAILTO_USER));
|
||||
$vars->{'token'} = issue_session_token('delete_user');
|
||||
|
||||
$template->process('admin/users/confirm-delete.html.tmpl', $vars)
|
||||
|| ThrowTemplateError($template->error());
|
||||
|
||||
###########################################################################
|
||||
} elsif ($action eq 'delete') {
|
||||
check_token_data($token, 'delete_user');
|
||||
my $otherUser = check_user($otherUserID, $otherUserLogin);
|
||||
$otherUserID = $otherUser->id;
|
||||
|
||||
|
|
@ -707,6 +724,7 @@ if ($action eq 'search') {
|
|||
$dbh->do('DELETE FROM profiles WHERE userid = ?', undef, $otherUserID);
|
||||
|
||||
$dbh->bz_unlock_tables();
|
||||
delete_token($token);
|
||||
|
||||
$vars->{'message'} = 'account_deleted';
|
||||
$vars->{'otheruser'}{'login'} = $otherUser->login;
|
||||
|
|
@ -857,6 +875,7 @@ sub edit_processing {
|
|||
object => "user"});
|
||||
|
||||
userDataToVars($otherUser->id);
|
||||
$vars->{'token'} = issue_session_token('edit_user');
|
||||
|
||||
$template->process('admin/users/edit.html.tmpl', $vars)
|
||||
|| ThrowTemplateError($template->error());
|
||||
|
|
|
|||
|
|
@ -26,6 +26,7 @@ use Bugzilla::Util;
|
|||
use Bugzilla::Error;
|
||||
use Bugzilla::Constants;
|
||||
use Bugzilla::Config qw(:admin);
|
||||
use Bugzilla::Token;
|
||||
|
||||
# List of different tables that contain the changeable field values
|
||||
# (the old "enums.") Keep them in alphabetical order by their
|
||||
|
|
@ -121,6 +122,7 @@ my $field = trim($cgi->param('field') || '');
|
|||
my $value = trim($cgi->param('value') || '');
|
||||
my $sortkey = trim($cgi->param('sortkey') || '0');
|
||||
my $action = trim($cgi->param('action') || '');
|
||||
my $token = $cgi->param('token');
|
||||
|
||||
# Gives the name of the parameter associated with the field
|
||||
# and representing its default value.
|
||||
|
|
@ -186,6 +188,7 @@ if ($action eq 'add') {
|
|||
|
||||
$vars->{'value'} = $value;
|
||||
$vars->{'field'} = $field;
|
||||
$vars->{'token'} = issue_session_token('add_field_value');
|
||||
$template->process("admin/fieldvalues/create.html.tmpl",
|
||||
$vars)
|
||||
|| ThrowTemplateError($template->error());
|
||||
|
|
@ -198,6 +201,7 @@ if ($action eq 'add') {
|
|||
# action='new' -> add field value entered in the 'action=add' screen
|
||||
#
|
||||
if ($action eq 'new') {
|
||||
check_token_data($token, 'add_field_value');
|
||||
FieldMustExist($field);
|
||||
trick_taint($field);
|
||||
|
||||
|
|
@ -228,6 +232,8 @@ if ($action eq 'new') {
|
|||
VALUES ( ?, ? )");
|
||||
$sth->execute($value, $sortkey);
|
||||
|
||||
delete_token($token);
|
||||
|
||||
$vars->{'value'} = $value;
|
||||
$vars->{'field'} = $field;
|
||||
$template->process("admin/fieldvalues/created.html.tmpl",
|
||||
|
|
@ -262,6 +268,7 @@ if ($action eq 'del') {
|
|||
if (lsearch($static{$field}, $value) >= 0) {
|
||||
ThrowUserError('fieldvalue_not_deletable', $vars);
|
||||
}
|
||||
$vars->{'token'} = issue_session_token('delete_field_value');
|
||||
|
||||
$template->process("admin/fieldvalues/confirm-delete.html.tmpl",
|
||||
$vars)
|
||||
|
|
@ -275,6 +282,7 @@ if ($action eq 'del') {
|
|||
# action='delete' -> really delete the field value
|
||||
#
|
||||
if ($action eq 'delete') {
|
||||
check_token_data($token, 'delete_field_value');
|
||||
ValueMustExist($field, $value);
|
||||
|
||||
$vars->{'value'} = $value;
|
||||
|
|
@ -311,6 +319,7 @@ if ($action eq 'delete') {
|
|||
$dbh->do("DELETE FROM $field WHERE value = ?", undef, $value);
|
||||
|
||||
$dbh->bz_unlock_tables();
|
||||
delete_token($token);
|
||||
|
||||
$template->process("admin/fieldvalues/deleted.html.tmpl",
|
||||
$vars)
|
||||
|
|
@ -334,6 +343,7 @@ if ($action eq 'edit') {
|
|||
$vars->{'value'} = $value;
|
||||
$vars->{'field'} = $field;
|
||||
$vars->{'is_static'} = (lsearch($static{$field}, $value) >= 0) ? 1 : 0;
|
||||
$vars->{'token'} = issue_session_token('edit_field_value');
|
||||
|
||||
$template->process("admin/fieldvalues/edit.html.tmpl", $vars)
|
||||
|| ThrowTemplateError($template->error());
|
||||
|
|
@ -346,6 +356,7 @@ if ($action eq 'edit') {
|
|||
# action='update' -> update the field value
|
||||
#
|
||||
if ($action eq 'update') {
|
||||
check_token_data($token, 'edit_field_value');
|
||||
my $valueold = trim($cgi->param('valueold') || '');
|
||||
my $sortkeyold = trim($cgi->param('sortkeyold') || '0');
|
||||
|
||||
|
|
@ -420,6 +431,7 @@ if ($action eq 'update') {
|
|||
write_params();
|
||||
$vars->{'default_value_updated'} = 1;
|
||||
}
|
||||
delete_token($token);
|
||||
|
||||
$template->process("admin/fieldvalues/updated.html.tmpl",
|
||||
$vars)
|
||||
|
|
|
|||
|
|
@ -37,6 +37,7 @@ use Bugzilla::Util;
|
|||
use Bugzilla::Error;
|
||||
use Bugzilla::Product;
|
||||
use Bugzilla::Version;
|
||||
use Bugzilla::Token;
|
||||
|
||||
my $cgi = Bugzilla->cgi;
|
||||
my $dbh = Bugzilla->dbh;
|
||||
|
|
@ -63,6 +64,7 @@ my $product_name = trim($cgi->param('product') || '');
|
|||
my $version_name = trim($cgi->param('version') || '');
|
||||
my $action = trim($cgi->param('action') || '');
|
||||
my $showbugcounts = (defined $cgi->param('showbugcounts'));
|
||||
my $token = $cgi->param('token');
|
||||
|
||||
#
|
||||
# product = '' -> Show nice list of products
|
||||
|
|
@ -108,7 +110,7 @@ unless ($action) {
|
|||
#
|
||||
|
||||
if ($action eq 'add') {
|
||||
|
||||
$vars->{'token'} = issue_session_token('add_version');
|
||||
$vars->{'product'} = $product;
|
||||
$template->process("admin/versions/create.html.tmpl", $vars)
|
||||
|| ThrowTemplateError($template->error());
|
||||
|
|
@ -123,8 +125,9 @@ if ($action eq 'add') {
|
|||
#
|
||||
|
||||
if ($action eq 'new') {
|
||||
|
||||
check_token_data($token, 'add_version');
|
||||
my $version = Bugzilla::Version::create($version_name, $product);
|
||||
delete_token($token);
|
||||
|
||||
$vars->{'version'} = $version;
|
||||
$vars->{'product'} = $product;
|
||||
|
|
@ -149,6 +152,7 @@ if ($action eq 'del') {
|
|||
|
||||
$vars->{'version'} = $version;
|
||||
$vars->{'product'} = $product;
|
||||
$vars->{'token'} = issue_session_token('delete_version');
|
||||
$template->process("admin/versions/confirm-delete.html.tmpl", $vars)
|
||||
|| ThrowTemplateError($template->error());
|
||||
|
||||
|
|
@ -162,9 +166,10 @@ if ($action eq 'del') {
|
|||
#
|
||||
|
||||
if ($action eq 'delete') {
|
||||
|
||||
check_token_data($token, 'delete_version');
|
||||
my $version = Bugzilla::Version::check_version($product, $version_name);
|
||||
$version->remove_from_db;
|
||||
delete_token($token);
|
||||
|
||||
$vars->{'version'} = $version;
|
||||
$vars->{'product'} = $product;
|
||||
|
|
@ -189,6 +194,7 @@ if ($action eq 'edit') {
|
|||
|
||||
$vars->{'version'} = $version;
|
||||
$vars->{'product'} = $product;
|
||||
$vars->{'token'} = issue_session_token('edit_version');
|
||||
|
||||
$template->process("admin/versions/edit.html.tmpl", $vars)
|
||||
|| ThrowTemplateError($template->error());
|
||||
|
|
@ -203,7 +209,7 @@ if ($action eq 'edit') {
|
|||
#
|
||||
|
||||
if ($action eq 'update') {
|
||||
|
||||
check_token_data($token, 'edit_version');
|
||||
my $version_old_name = trim($cgi->param('versionold') || '');
|
||||
my $version =
|
||||
Bugzilla::Version::check_version($product, $version_old_name);
|
||||
|
|
@ -213,6 +219,7 @@ if ($action eq 'update') {
|
|||
$vars->{'updated'} = $version->update($version_name, $product);
|
||||
|
||||
$dbh->bz_unlock_tables();
|
||||
delete_token($token);
|
||||
|
||||
$vars->{'version'} = $version;
|
||||
$vars->{'product'} = $product;
|
||||
|
|
|
|||
|
|
@ -35,6 +35,7 @@ use Bugzilla::Util;
|
|||
use Bugzilla::Error;
|
||||
use Bugzilla::User;
|
||||
use Bugzilla::Group;
|
||||
use Bugzilla::Token;
|
||||
|
||||
# require the user to have logged in
|
||||
my $user = Bugzilla->login(LOGIN_REQUIRED);
|
||||
|
|
@ -49,7 +50,7 @@ my $vars = {};
|
|||
my $dbh = Bugzilla->dbh;
|
||||
|
||||
my $userid = $user->id;
|
||||
|
||||
my $token = $cgi->param('token');
|
||||
my $sth; # database statement handle
|
||||
|
||||
# $events is a hash ref, keyed by event id, that stores the active user's
|
||||
|
|
@ -86,6 +87,8 @@ my $can_mail_others = Bugzilla->user->in_group('bz_canusewhineatothers');
|
|||
# removed, then what was altered.
|
||||
|
||||
if ($cgi->param('update')) {
|
||||
check_token_data($token, 'edit_whine');
|
||||
|
||||
if ($cgi->param("add_event")) {
|
||||
# we create a new event
|
||||
$sth = $dbh->prepare("INSERT INTO whine_events " .
|
||||
|
|
@ -349,6 +352,7 @@ if ($cgi->param('update')) {
|
|||
}
|
||||
}
|
||||
}
|
||||
delete_token($token);
|
||||
}
|
||||
|
||||
$vars->{'mail_others'} = $can_mail_others;
|
||||
|
|
@ -436,6 +440,7 @@ $vars->{'available_queries'} = [];
|
|||
while (my ($query) = $sth->fetchrow_array) {
|
||||
push @{$vars->{'available_queries'}}, $query;
|
||||
}
|
||||
$vars->{'token'} = issue_session_token('edit_whine');
|
||||
|
||||
$template->process("whine/schedule.html.tmpl", $vars)
|
||||
|| ThrowTemplateError($template->error());
|
||||
|
|
|
|||
|
|
@ -335,7 +335,7 @@ $vars->{'qa_contact_disabled'} = !Bugzilla->user->in_group('editbugs');
|
|||
|
||||
$vars->{'cloned_bug_id'} = $cloned_bug_id;
|
||||
|
||||
$vars->{'token'} = Bugzilla::Token::IssueSessionToken('createbug:');
|
||||
$vars->{'token'} = issue_session_token('createbug:');
|
||||
|
||||
|
||||
my @enter_bug_fields = Bugzilla->get_fields({ custom => 1, obsolete => 0,
|
||||
|
|
|
|||
|
|
@ -60,7 +60,7 @@ if ($action eq 'prepare-sudo') {
|
|||
}
|
||||
|
||||
# Keep a temporary record of the user visiting this page
|
||||
$vars->{'token'} = Bugzilla::Token::IssueSessionToken('sudo_prepared');
|
||||
$vars->{'token'} = issue_session_token('sudo_prepared');
|
||||
|
||||
# Show the sudo page
|
||||
$vars->{'target_login_default'} = $cgi->param('target_login');
|
||||
|
|
@ -121,7 +121,7 @@ elsif ($action eq 'begin-sudo') {
|
|||
{ target_login => scalar $cgi->param('target_login'),
|
||||
reason => scalar $cgi->param('reason')});
|
||||
}
|
||||
Bugzilla::Token::DeleteToken($cgi->param('token'));
|
||||
delete_token($cgi->param('token'));
|
||||
|
||||
# Get & verify the target user (the user who we will be impersonating)
|
||||
my $target_user =
|
||||
|
|
|
|||
|
|
@ -289,3 +289,11 @@ span.quote {
|
|||
}
|
||||
|
||||
table#flags th, table#flags td { vertical-align: baseline; text-align: left; }
|
||||
|
||||
.throw_error {
|
||||
background-color: #ff0000;
|
||||
color: black;
|
||||
font-size: 120%;
|
||||
margin: 1em;
|
||||
padding: 0.5em 1em;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -49,6 +49,7 @@
|
|||
<hr>
|
||||
<input type=submit value="Add">
|
||||
<input type=hidden name="action" value="new">
|
||||
<input type="hidden" name="token" value="[% token FILTER html %]">
|
||||
</FORM>
|
||||
|
||||
<p>Back to the <a href="./">main [% terms.bugs %] page</a>
|
||||
|
|
|
|||
|
|
@ -56,6 +56,7 @@
|
|||
<input type=submit value="Yes, delete">
|
||||
<input type=hidden name="action" value="delete">
|
||||
<input type=hidden name="classification" value="[% classification.name FILTER html %]">
|
||||
<input type="hidden" name="token" value="[% token FILTER html %]">
|
||||
</form>
|
||||
|
||||
<p>Back to the <a href="./">main [% terms.bugs %] page</a>
|
||||
|
|
|
|||
|
|
@ -77,6 +77,7 @@
|
|||
<input type=hidden name="classificationold"
|
||||
value="[% classification.name FILTER html %]">
|
||||
<input type=hidden name="action" value="update">
|
||||
<input type="hidden" name="token" value="[% token FILTER html %]">
|
||||
<input type=submit value="Update">
|
||||
</form>
|
||||
|
||||
|
|
|
|||
|
|
@ -82,6 +82,7 @@
|
|||
|
||||
<input type=hidden name="action" value="reclassify">
|
||||
<input type=hidden name="classification" value="[% classification.name FILTER html %]">
|
||||
<input type="hidden" name="token" value="[% token FILTER html %]">
|
||||
</form>
|
||||
|
||||
<p>Back to the <a href="./">main [% terms.bugs %] page</a>,
|
||||
|
|
|
|||
|
|
@ -150,6 +150,7 @@
|
|||
<input type="hidden" name="action" value="delete">
|
||||
<input type="hidden" name="product" value="[% product.name FILTER html %]">
|
||||
<input type="hidden" name="component" value="[% comp.name FILTER html %]">
|
||||
<input type="hidden" name="token" value="[% token FILTER html %]">
|
||||
</form>
|
||||
|
||||
[% END %]
|
||||
|
|
|
|||
|
|
@ -102,7 +102,7 @@
|
|||
<input type="hidden" name='open_name' value='All Open'>
|
||||
<input type="hidden" name='nonopen_name' value='All Closed'>
|
||||
<input type="hidden" name='product' value="[% product.name FILTER html %]">
|
||||
|
||||
<input type="hidden" name="token" value="[% token FILTER html %]">
|
||||
</form>
|
||||
|
||||
[% PROCESS admin/components/footer.html.tmpl %]
|
||||
|
|
|
|||
|
|
@ -119,6 +119,7 @@
|
|||
<input type="hidden" name="action" value="update">
|
||||
<input type="hidden" name="componentold" value="[% comp.name FILTER html %]">
|
||||
<input type="hidden" name="product" value="[% product.name FILTER html %]">
|
||||
<input type="hidden" name="token" value="[% token FILTER html %]">
|
||||
<input type="submit" value="Update" id="update"> or <a
|
||||
href="editcomponents.cgi?action=del&product=
|
||||
[%- product.name FILTER url_quote %]&component=
|
||||
|
|
|
|||
|
|
@ -0,0 +1,97 @@
|
|||
[%# 1.0@bugzilla.org %]
|
||||
[%# The contents of this file are subject to the Mozilla Public
|
||||
# License Version 1.1 (the "License"); you may not use this file
|
||||
# except in compliance with the License. You may obtain a copy of
|
||||
# the License at http://www.mozilla.org/MPL/
|
||||
#
|
||||
# Software distributed under the License is distributed on an "AS
|
||||
# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
|
||||
# implied. See the License for the specific language governing
|
||||
# rights and limitations under the License.
|
||||
#
|
||||
# The Original Code is the Bugzilla Bug Tracking System.
|
||||
#
|
||||
# The Initial Developer of the Original Code is Frédéric Buclin.
|
||||
#
|
||||
# Contributor(s): Frédéric Buclin <LpSolit@gmail.com>
|
||||
#%]
|
||||
|
||||
[%# INTERFACE:
|
||||
# abuser: identity of the user who created the (invalid?) token.
|
||||
# token_action: the action the token was supposed to serve.
|
||||
# expected_action: the action the user was going to do.
|
||||
# script_name: the script generating this warning.
|
||||
#%]
|
||||
|
||||
[% PROCESS "global/field-descs.none.tmpl" %]
|
||||
|
||||
[% PROCESS global/header.html.tmpl title = "Suspicious Action"
|
||||
style_urls = ['skins/standard/global.css'] %]
|
||||
|
||||
[% IF abuser %]
|
||||
<div class="throw_error">
|
||||
<p>When you view an administrative form in [% terms.Bugzilla %], a token string
|
||||
is randomly generated and stored both in the database and in the form you loaded,
|
||||
to make sure that the requested changes are being made as a result of submitting
|
||||
a form generated by [% terms.Bugzilla %]. Unfortunately, the token used right now
|
||||
is incorrect, meaning that it looks like you didn't come from the right page.
|
||||
The following token has been used :</p>
|
||||
|
||||
<table border="0" cellpadding="5" cellspacing="0">
|
||||
[% IF token_action != expected_action %]
|
||||
<tr>
|
||||
<th>Action stored:</th>
|
||||
<td>[% token_action FILTER html %]</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<th> </th>
|
||||
<td>
|
||||
This action doesn't match the one expected ([% expected_action FILTER html %]).
|
||||
</td>
|
||||
</tr>
|
||||
[% END %]
|
||||
|
||||
[% IF abuser != user.identity %]
|
||||
<tr>
|
||||
<th>Generated by:</th>
|
||||
<td>[% abuser FILTER html %]</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<th> </th>
|
||||
<td>
|
||||
This token has not been generated by you. It is possible that someone
|
||||
tried to trick you!
|
||||
</td>
|
||||
</tr>
|
||||
[% END %]
|
||||
</table>
|
||||
|
||||
<p>Please report this problem to [%+ Param("maintainer") FILTER html %].</p>
|
||||
</div>
|
||||
[% ELSE %]
|
||||
<div class="throw_error">
|
||||
It looks like you didn't come from the right page (you have no valid token for
|
||||
the <em>[% expected_action FILTER html %]</em> action while processing the
|
||||
'[% script_name FILTER html%]' script). The reason could be one of:<br>
|
||||
<ul>
|
||||
<li>You clicked the "Back" button of your web browser after having successfully
|
||||
submitted changes, which is generally not a good idea (but harmless).</li>
|
||||
<li>You entered the URL in the address bar of your web browser directly,
|
||||
which should be safe.</li>
|
||||
<li>You clicked on a URL which redirected you here <b>without your consent</b>,
|
||||
in which case this action is much more critical.</li>
|
||||
</ul>
|
||||
Are you sure you want to commit these changes anyway? This may result in
|
||||
unexpected and undesired results.
|
||||
</div>
|
||||
|
||||
<form name="check" id="check" method="post" action="[% script_name FILTER html %]">
|
||||
[% PROCESS "global/hidden-fields.html.tmpl"
|
||||
exclude="^(Bugzilla_login|Bugzilla_password)$" %]
|
||||
<input type="submit" id="confirm" value="Confirm Changes">
|
||||
</form>
|
||||
<p>Or throw away these changes and go back to <a href="[% script_name FILTER html %]">
|
||||
[%- script_name FILTER html %]</a>.</p>
|
||||
[% END %]
|
||||
|
||||
[% PROCESS global/footer.html.tmpl %]
|
||||
|
|
@ -102,6 +102,7 @@
|
|||
</table>
|
||||
<br>
|
||||
<input type="hidden" name="action" value="new">
|
||||
<input type="hidden" name="token" value="[% token FILTER html %]">
|
||||
<input type="submit" id="create" value="Create">
|
||||
</form>
|
||||
|
||||
|
|
|
|||
|
|
@ -98,6 +98,7 @@
|
|||
<br>
|
||||
<input type="hidden" name="action" value="update">
|
||||
<input type="hidden" name="name" value="[% field.name FILTER html %]">
|
||||
<input type="hidden" name="token" value="[% token FILTER html %]">
|
||||
<input type="submit" id="edit" value="Submit">
|
||||
</form>
|
||||
|
||||
|
|
|
|||
|
|
@ -111,6 +111,7 @@
|
|||
<input type="hidden" name="action" value="delete">
|
||||
<input type="hidden" name="field" value="[% field FILTER html %]">
|
||||
<input type="hidden" name="value" value="[% value FILTER html %]">
|
||||
<input type="hidden" name="token" value="[% token FILTER html %]">
|
||||
</form>
|
||||
|
||||
[% END %]
|
||||
|
|
|
|||
|
|
@ -42,7 +42,7 @@
|
|||
<input type="submit" id="create" value="Add">
|
||||
<input type="hidden" name="action" value="new">
|
||||
<input type="hidden" name='field' value="[% field FILTER html %]">
|
||||
|
||||
<input type="hidden" name="token" value="[% token FILTER html %]">
|
||||
</form>
|
||||
|
||||
<p>
|
||||
|
|
|
|||
|
|
@ -55,8 +55,8 @@
|
|||
<input type="hidden" name="sortkeyold" value="[% sortkey FILTER html %]">
|
||||
<input type="hidden" name="action" value="update">
|
||||
<input type="hidden" name="field" value="[% field FILTER html %]">
|
||||
<input type="hidden" name="token" value="[% token FILTER html %]">
|
||||
<input type="submit" id="update" value="Update">
|
||||
|
||||
</form>
|
||||
|
||||
<p>
|
||||
|
|
|
|||
|
|
@ -21,18 +21,16 @@
|
|||
|
||||
[% PROCESS global/variables.none.tmpl %]
|
||||
|
||||
[%# Filter off the name here to be used multiple times below %]
|
||||
[% name = BLOCK %][% flag_type.name FILTER html %][% END %]
|
||||
[% title = BLOCK %]Confirm Deletion of Flag Type '[% flag_type.name FILTER html %]'[% END %]
|
||||
|
||||
[% PROCESS global/header.html.tmpl
|
||||
title = "Confirm Deletion of Flag Type '$name'"
|
||||
%]
|
||||
[% PROCESS global/header.html.tmpl title = title %]
|
||||
|
||||
<p>
|
||||
There are [% flag_type.flag_count %] flags of type [% name FILTER html %].
|
||||
There are [% flag_type.flag_count %] flags of type [% flag_type.name FILTER html %].
|
||||
If you delete this type, those flags will also be deleted. Note that
|
||||
instead of deleting the type you can
|
||||
<a href="editflagtypes.cgi?action=deactivate&id=[% flag_type.id %]">deactivate it</a>,
|
||||
<a href="editflagtypes.cgi?action=deactivate&id=[% flag_type.id %]&token=
|
||||
[%- token FILTER html %]">deactivate it</a>,
|
||||
in which case the type and its flags will remain in the database
|
||||
but will not appear in the [% terms.Bugzilla %] UI.
|
||||
</p>
|
||||
|
|
@ -45,8 +43,8 @@
|
|||
</tr>
|
||||
<tr>
|
||||
<td>
|
||||
<a href="editflagtypes.cgi?action=delete&id=[% flag_type.id %]">
|
||||
Yes, delete
|
||||
<a href="editflagtypes.cgi?action=delete&id=[% flag_type.id %]&token=
|
||||
[%- token FILTER html %]">Yes, delete
|
||||
</a>
|
||||
</td>
|
||||
<td align="right">
|
||||
|
|
|
|||
|
|
@ -53,6 +53,7 @@
|
|||
<form method="post" action="editflagtypes.cgi">
|
||||
<input type="hidden" name="action" value="[% action %]">
|
||||
<input type="hidden" name="id" value="[% type.id %]">
|
||||
<input type="hidden" name="token" value="[% token FILTER html %]">
|
||||
<input type="hidden" name="target_type" value="[% type.target_type %]">
|
||||
[% FOREACH category = type.inclusions %]
|
||||
<input type="hidden" name="inclusions" value="[% category.value FILTER html %]">
|
||||
|
|
|
|||
|
|
@ -101,25 +101,6 @@
|
|||
<a href="editflagtypes.cgi?action=enter&target_type=attachment">Create Flag Type For Attachments</a>
|
||||
</p>
|
||||
|
||||
<script type="text/javascript">
|
||||
<!--
|
||||
function confirmDelete(id, name, count)
|
||||
{
|
||||
if (count > 0) {
|
||||
var msg = 'There are ' + count + ' flags of type ' + name + '. ' +
|
||||
'If you delete this type, those flags will also be ' +
|
||||
'deleted.\n\nNote: to deactivate the type instead ' +
|
||||
'of deleting it, edit it and uncheck its "is active" ' +
|
||||
'flag.\n\nDo you really want to delete this flag type?';
|
||||
if (!confirm(msg)) return false;
|
||||
}
|
||||
location.href = "editflagtypes.cgi?action=delete&id=" + id;
|
||||
return false; // prevent strict JavaScript warning that this function
|
||||
// does not always return a value
|
||||
}
|
||||
//-->
|
||||
</script>
|
||||
|
||||
[% PROCESS global/footer.html.tmpl %]
|
||||
|
||||
|
||||
|
|
@ -157,9 +138,7 @@
|
|||
<td>[% IF type.request_group %][% type.request_group.name FILTER html %][% END %]</td>
|
||||
<td>
|
||||
<a href="editflagtypes.cgi?action=copy&id=[% type.id %]">Copy</a>
|
||||
| <a href="editflagtypes.cgi?action=confirmdelete&id=[% type.id %]"
|
||||
onclick="return confirmDelete([% type.id %], '[% type.name FILTER js FILTER html %]',
|
||||
[% type.flag_count %]);">Delete</a>
|
||||
| <a href="editflagtypes.cgi?action=confirmdelete&id=[% type.id %]">Delete</a>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
|
|
|
|||
|
|
@ -49,6 +49,7 @@
|
|||
Insert new group into all existing products.<p>
|
||||
<input type="submit" id="create" value="Add">
|
||||
<input type="hidden" name="action" value="new">
|
||||
<input type="hidden" name="token" value="[% token FILTER html %]">
|
||||
</form>
|
||||
|
||||
<p><b>Name</b> is what is used with the B<!-- blah -->ugzilla->user->in_group()
|
||||
|
|
|
|||
|
|
@ -123,6 +123,7 @@
|
|||
<p><input type="submit" id="delete" value="Yes, delete">
|
||||
<input type="hidden" name="action" value="delete">
|
||||
<input type="hidden" name="group" value="[% gid FILTER html %]">
|
||||
<input type="hidden" name="token" value="[% token FILTER html %]">
|
||||
</form>
|
||||
|
||||
Go back to the <a href="editgroups.cgi">group list</a>.
|
||||
|
|
|
|||
|
|
@ -214,6 +214,7 @@
|
|||
|
||||
<input type="hidden" name="action" value="postchanges">
|
||||
<input type="hidden" name="group" value="[% group_id FILTER html %]">
|
||||
<input type="hidden" name="token" value="[% token FILTER html %]">
|
||||
</form>
|
||||
|
||||
Back to the <a href="editgroups.cgi">group list</a>.
|
||||
|
|
|
|||
|
|
@ -45,6 +45,7 @@
|
|||
<input type="hidden" name="id" value="[% keyword.id FILTER html %]">
|
||||
<input type="hidden" name="action" value="delete">
|
||||
<input type="hidden" name="reallydelete" value="1">
|
||||
<input type="hidden" name="token" value="[% token FILTER html %]">
|
||||
<input type="submit" id="delete"
|
||||
value="Yes, really delete the keyword">
|
||||
</form>
|
||||
|
|
|
|||
|
|
@ -51,6 +51,7 @@
|
|||
<input type="hidden" name="id" value="-1">
|
||||
<input type="submit" id="create" value="Add">
|
||||
<input type="hidden" name="action" value="new">
|
||||
<input type="hidden" name="token" value="[% token FILTER html %]">
|
||||
</form>
|
||||
|
||||
<p><a href="editkeywords.cgi">Edit other keywords</a>.</p>
|
||||
|
|
|
|||
|
|
@ -66,6 +66,7 @@
|
|||
<input type="submit" id="update" value="Update">
|
||||
<input type="hidden" name="action" value="update">
|
||||
<input type="hidden" name="id" value="[% keyword.id FILTER html %]">
|
||||
<input type="hidden" name="token" value="[% token FILTER html %]">
|
||||
</form>
|
||||
|
||||
<p><a href="editkeywords.cgi">Edit other keywords</a>.</p>
|
||||
|
|
|
|||
|
|
@ -90,6 +90,7 @@
|
|||
<input type="hidden" name="action" value="delete">
|
||||
<input type="hidden" name="product" value="[% product.name FILTER html %]">
|
||||
<input type="hidden" name="milestone" value="[% milestone.name FILTER html %]">
|
||||
<input type="hidden" name="token" value="[% token FILTER html %]">
|
||||
</form>
|
||||
|
||||
[% PROCESS admin/milestones/footer.html.tmpl %]
|
||||
|
|
|
|||
|
|
@ -49,7 +49,7 @@
|
|||
<input type="submit" id="create" value="Add">
|
||||
<input type="hidden" name="action" value="new">
|
||||
<input type="hidden" name='product' value="[% product.name FILTER html %]">
|
||||
|
||||
<input type="hidden" name="token" value="[% token FILTER html %]">
|
||||
</form>
|
||||
|
||||
<p>
|
||||
|
|
|
|||
|
|
@ -55,7 +55,7 @@
|
|||
<input type="hidden" name="action" value="update">
|
||||
<input type="hidden" name="product" value="[% product.name FILTER html %]">
|
||||
<input type="submit" id="update" value="Update">
|
||||
|
||||
<input type="hidden" name="token" value="[% token FILTER html %]">
|
||||
</form>
|
||||
|
||||
<p>
|
||||
|
|
|
|||
|
|
@ -99,6 +99,7 @@
|
|||
[% PROCESS admin/params/common.html.tmpl panel = current_panel %]
|
||||
<input type="hidden" name="section" value="[% current_panel.name FILTER html %]">
|
||||
<input type="hidden" name="action" value="save">
|
||||
<input type="hidden" name="token" value="[% token FILTER html %]">
|
||||
<input type="reset" value="Reset form">
|
||||
<input type="submit" name="action" value="Save Changes">
|
||||
</form>
|
||||
|
|
|
|||
|
|
@ -263,6 +263,7 @@
|
|||
<input type="submit" id="delete" value="Yes, delete">
|
||||
<input type="hidden" name="action" value="delete">
|
||||
<input type="hidden" name="product" value="[% product.name FILTER html %]">
|
||||
<input type="hidden" name="token" value="[% token FILTER html %]">
|
||||
<input type="hidden" name="classification"
|
||||
value="[% classification.name FILTER html %]">
|
||||
</form>
|
||||
|
|
|
|||
|
|
@ -57,6 +57,7 @@
|
|||
<input type="hidden" name="subcategory" value="-All-">
|
||||
<input type="hidden" name="open_name" value="All Open">
|
||||
<input type="hidden" name="action" value="new">
|
||||
<input type="hidden" name="token" value="[% token FILTER html %]">
|
||||
<input type="hidden" name="classification"
|
||||
value="[% classification.name FILTER html %]">
|
||||
</form>
|
||||
|
|
|
|||
|
|
@ -132,6 +132,7 @@ versions:</a>
|
|||
<input type="hidden" name="product_old_name"
|
||||
value="[% product.name FILTER html %]">
|
||||
<input type="hidden" name="action" value="update">
|
||||
<input type="hidden" name="token" value="[% token FILTER html %]">
|
||||
<input type="hidden" name="classification"
|
||||
value="[% classification.name FILTER html %]">
|
||||
<input type="submit" name="submit" value="Update">
|
||||
|
|
|
|||
|
|
@ -31,6 +31,7 @@
|
|||
<form method="post" action="editproducts.cgi">
|
||||
<input type="hidden" name="action" value="updategroupcontrols">
|
||||
<input type="hidden" name="product" value="[% product.name FILTER html %]">
|
||||
<input type="hidden" name="token" value="[% token FILTER html %]">
|
||||
<input type="hidden" name="classification"
|
||||
value="[% classification.name FILTER html %]">
|
||||
|
||||
|
|
|
|||
|
|
@ -85,6 +85,7 @@ page, and the Default Value will automatically apply to everyone.
|
|||
</table>
|
||||
|
||||
<input type="hidden" name="action" value="update">
|
||||
<input type="hidden" name="token" value="[% token FILTER html %]">
|
||||
<table>
|
||||
<tr>
|
||||
<td width="150"></td>
|
||||
|
|
|
|||
|
|
@ -448,6 +448,7 @@
|
|||
<input type="submit" id="delete" value="Yes, delete"/>
|
||||
<input type="hidden" name="action" value="delete" />
|
||||
<input type="hidden" name="userid" value="[% otheruser.id %]" />
|
||||
<input type="hidden" name="token" value="[% token FILTER html %]">
|
||||
[% INCLUDE listselectionhiddenfields %]
|
||||
</p>
|
||||
</form>
|
||||
|
|
|
|||
|
|
@ -41,6 +41,7 @@
|
|||
<p>
|
||||
<input type="submit" id="add" value="Add"/>
|
||||
<input type="hidden" name="action" value="new" />
|
||||
<input type="hidden" name="token" value="[% token FILTER html %]">
|
||||
[% INCLUDE listselectionhiddenfields %]
|
||||
</p>
|
||||
</form>
|
||||
|
|
|
|||
|
|
@ -106,6 +106,7 @@
|
|||
<input type="submit" id="update" value="Update" />
|
||||
<input type="hidden" name="userid" value="[% otheruser.id %]" />
|
||||
<input type="hidden" name="action" value="update" />
|
||||
<input type="hidden" name="token" value="[% token FILTER html %]">
|
||||
[% INCLUDE listselectionhiddenfields %]
|
||||
|
||||
or <a href="editusers.cgi?action=activity&userid=[% otheruser.id %]"
|
||||
|
|
|
|||
|
|
@ -92,6 +92,7 @@
|
|||
<input type="hidden" name="action" value="delete">
|
||||
<input type="hidden" name="product" value="[% product.name FILTER html %]">
|
||||
<input type="hidden" name="version" value="[% version.name FILTER html %]">
|
||||
<input type="hidden" name="token" value="[% token FILTER html %]">
|
||||
</form>
|
||||
|
||||
[% END %]
|
||||
|
|
|
|||
|
|
@ -43,7 +43,7 @@
|
|||
<input type="submit" id="create" value="Add">
|
||||
<input type="hidden" name="action" value="new">
|
||||
<input type="hidden" name='product' value="[% product.name FILTER html %]">
|
||||
|
||||
<input type="hidden" name="token" value="[% token FILTER html %]">
|
||||
</form>
|
||||
|
||||
<p>
|
||||
|
|
|
|||
|
|
@ -48,8 +48,8 @@
|
|||
<input type="hidden" name="versionold" value="[% version.name FILTER html %]">
|
||||
<input type="hidden" name="action" value="update">
|
||||
<input type="hidden" name="product" value="[% product.name FILTER html %]">
|
||||
<input type="hidden" name="token" value="[% token FILTER html %]">
|
||||
<input type="submit" id="update" value="Update">
|
||||
|
||||
</form>
|
||||
|
||||
<p>
|
||||
|
|
|
|||
|
|
@ -512,7 +512,6 @@
|
|||
|
||||
'admin/flag-type/list.html.tmpl' => [
|
||||
'type.id',
|
||||
'type.flag_count',
|
||||
],
|
||||
|
||||
|
||||
|
|
|
|||
|
|
@ -82,6 +82,7 @@
|
|||
<input type="submit" value="Update / Commit" name="commit"
|
||||
style="display: none;" id="commit">
|
||||
<input type="hidden" name="update" value="1">
|
||||
<input type="hidden" name="token" value="[% token FILTER html %]">
|
||||
|
||||
[% FOREACH event = events %]
|
||||
|
||||
|
|
|
|||
|
|
@ -378,7 +378,7 @@ sub confirm_create_account {
|
|||
cryptpassword => $cgi->param('passwd1')});
|
||||
|
||||
# Now delete this token.
|
||||
Bugzilla::Token::DeleteToken($::token);
|
||||
delete_token($::token);
|
||||
|
||||
# Let the user know that his user account has been successfully created.
|
||||
$vars->{'message'} = 'account_created';
|
||||
|
|
|
|||
Загрузка…
Ссылка в новой задаче