summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorlpsolit%gmail.com <>2007-03-11 16:55:21 +0000
committerlpsolit%gmail.com <>2007-03-11 16:55:21 +0000
commite15776a6d748b615a60596f5f065db0a380550cb (patch)
tree54b5e54ca8dfa2142428cd3ae75aa6b44aef3be8 /editusers.cgi
parentBug 371774: process_bug.cgi should only validate longdesclength on mid-air co... (diff)
downloadbugzilla-e15776a6d748b615a60596f5f065db0a380550cb.tar.gz
bugzilla-e15776a6d748b615a60596f5f065db0a380550cb.tar.bz2
bugzilla-e15776a6d748b615a60596f5f065db0a380550cb.zip
Bug 354868: Race condition when changing user privs in editusers.cgi - Patch by Frédéric Buclin <LpSolit@gmail.com> r=wicked a=LpSolit
Diffstat (limited to 'editusers.cgi')
-rwxr-xr-xeditusers.cgi21
1 files changed, 12 insertions, 9 deletions
diff --git a/editusers.cgi b/editusers.cgi
index b4e3f698e..076a2de98 100755
--- a/editusers.cgi
+++ b/editusers.cgi
@@ -235,7 +235,10 @@ if ($action eq 'search') {
'groups READ',
'user_group_map WRITE',
'group_group_map READ',
- 'group_group_map AS ggm READ');
+ 'group_group_map AS ggm READ',
+ 'user_group_map AS directmember READ',
+ 'user_group_map AS regexpmember READ',
+ 'user_group_map AS directbless READ');
$editusers || $user->can_see_user($otherUser)
|| ThrowUserError('auth_failure', {reason => "not_visible",
@@ -282,15 +285,16 @@ if ($action eq 'search') {
# silently.
# XXX: checking for existence of each user_group_map entry
# would allow to display a friendlier error message on page reloads.
+ userDataToVars($otherUserID);
+ my $permissions = $vars->{'permissions'};
foreach (@{$user->bless_groups()}) {
my $id = $$_{'id'};
my $name = $$_{'name'};
# Change memberships.
- my $oldgroupid = $cgi->param("oldgroup_$id") || '0';
- my $groupid = $cgi->param("group_$id") || '0';
- if ($groupid ne $oldgroupid) {
- if ($groupid eq '0') {
+ my $groupid = $cgi->param("group_$id") || 0;
+ if ($groupid != $permissions->{$id}->{'directmember'}) {
+ if (!$groupid) {
$sth_remove_mapping->execute(
$otherUserID, $id, 0, GRANT_DIRECT);
push(@groupsRemovedFrom, $name);
@@ -304,10 +308,9 @@ if ($action eq 'search') {
# Only members of the editusers group may change bless grants.
# Skip silently if this is not the case.
if ($editusers) {
- my $oldgroupid = $cgi->param("oldbless_$id") || '0';
- my $groupid = $cgi->param("bless_$id") || '0';
- if ($groupid ne $oldgroupid) {
- if ($groupid eq '0') {
+ my $groupid = $cgi->param("bless_$id") || 0;
+ if ($groupid != $permissions->{$id}->{'directbless'}) {
+ if (!$groupid) {
$sth_remove_mapping->execute(
$otherUserID, $id, 1, GRANT_DIRECT);
push(@groupsDeniedRightsToBless, $name);