Closed Bug 276605 Opened 21 years ago Closed 21 years ago

Ignore vote changes when usevotes = 0

Categories

(Bugzilla :: Creating/Changing Bugs, defect)

Product:
Bugzilla
Component:
Creating/Changing Bugs
Version:
2.19.1
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
Bugzilla 2.18

People

(Reporter: LpSolit, Assigned: LpSolit)

References

Details

Attachments

(2 files, 1 obsolete file)

patch, v2
2.14 KB, patch
Wurblzap
: review+
Details | Diff | Splinter Review
patch for the 2.18 branch
2.21 KB, patch
Wurblzap
: review+
Details | Diff | Splinter Review
Actually, you can still change your votes even if usevotes = 0 (via such an URL: votes.cgi?bug_id=64&action=show_user). Consequently, you can still confirm bugs if the following conditions are satistfied in CheckIfVotedConfirmed(): if ($votes >= $votestoconfirm && $status eq $::unconfirmedstate) {...} We need to prevent that. I have a patch.
If you have a patch, let's see it. :-) Does this also show up on the 2.18 branch? (If it does, it also needs to be blocking2.18.)
Flags: blocking2.20?
Hey justdave, this looks like it might be a security bug. (Users can confirm bugs when they shouldn't be able to.)
When I asked in the channel, justdave said that this isn't a security bug, just a minor annoyance, since UNCONFIRMED will be disabled when usevotes = 0.
I'll take this for both 2.18 and 2.20 if it's applicable to both, but I won't hold release for it.
Flags: blocking2.20? → blocking2.20-
Target Milestone: --- → Bugzilla 2.18
Status: NEW → ASSIGNED
Attached patch patch, v1 (obsolete) — Splinter Review
forbid to edit votes if usevotes = 0 + fix a LOCK TABLE problem.
Attachment #170245 - Flags: review?(wurblzap)
Blocks: 277013
Blocks: 250440
Comment on attachment 170245 [details] [diff] [review] patch, v1 It seems to me that what this bug addresses is basically covered by this: - record_votes(); + record_votes() if Param('usevotes'); - my $canedit = 1 if ($userid && $name eq Bugzilla->user->login); + my $canedit = (Param('usevotes') && $userid == $who) ? 1 : 0; so this may be separated from the locking issue if it turns out to be necessary. I don't think what happens inside CheckIfVotedConfirmed should happen without locking. More than that even: it should happen with the same lock that is active during the UPDATE bugs SET votes part. You said that Dave agreed to move CheckIfVotedConfirmed out of the locked part, but I can't see that. This is my real issue. Let's address the minor ones, and the nits and questions now :) + my $canedit = (Param('usevotes') && $userid == $who) ? 1 : 0; The part beginning with '?' can go. - my $v = FetchOneColumn(); - $v ||= 0; + my $v = FetchOneColumn() || 0; Unrelated to this bug, but fine with me. + print Bugzilla->cgi->header(); I can see that something along these lines is needed for CheckIfVotedConfirmed. But in show_user it happens again. Am I missing something? The header_done part is very hacky. It works, but I don't like it. Do you think there may be a more elegant solution?
Attachment #170245 - Flags: review?(wurblzap) → review-
(In reply to comment #6) > You said that Dave agreed to move > CheckIfVotedConfirmed out of the locked part, but I can't see that. I said it sounded logical, but I hadn't actually looked at the code closely when I said that. I do know bbaetz was damn anal about proper table locking back in the day, and most of those locks were there for a reason :) Usually when one of those "tables not locked" errors happen it means someone added a table to a query somewhere and didn't add to the lock. If this patch can be split, I would much prefer it to be, because these really are two separate issues. I can't see this issue being a release blocker, but the SQL error definitely is. (That said, there's nothing stopping this from going in before the release)
Flags: blocking2.20-
Flags: blocking2.20+
Flags: blocking2.18+
er, I didn't mean to do that ;)
Flags: blocking2.20-
Flags: blocking2.20+
Flags: blocking2.18-
Flags: blocking2.18+
Comment on attachment 170245 [details] [diff] [review] patch, v1 Asking bbaetz for review... in order to make sure if CheckIfVotedConfirmed() should remain inside the LOCK... UNLOCK TABLE or not. Bradley, any comments, suggestions are welcome.
Attachment #170245 - Flags: review?(bbaetz)
There's a big, bad LOCK TABLES statement in process_bug.cgi. I'm afraid we'll need to adopt it or abstract it out as sub lockAllFreakingTablesNeededForUpdatingBugs or something :/
No longer blocks: 277013
Depends on: 277013
Comment on attachment 170245 [details] [diff] [review] patch, v1 I finally splitted my patch into two parts, to make things easier to review. So this patch is now obsolete. But I'm still interested in Bradley's opinion. ;)
Attachment #170245 - Attachment is obsolete: true
Attachment #170245 - Flags: review?(bbaetz)
Attached patch patch, v2Splinter Review
Now that bug 277013 is fixed, this patch only includes the remaining part of the original patch.
Attachment #170830 - Flags: review?(wurblzap)
Comment on attachment 170830 [details] [diff] [review] patch, v2 Ok, this does the trick. + my $canedit = (Param('usevotes') && $userid == $who) ? 1 : 0; I still don't like that ?1:0, thinking that it's more readable without it, but I'll leave it up to you whether you wish to put up a new patch without it. You have r=wurblzap with or without it :)
Attachment #170830 - Flags: review?(wurblzap) → review+
This does not apply cleanly to the branch; if you like, put up a branch patch, set r+ on it and request approval2.18. For the record, this... (In reply to comment #6) > + print Bugzilla->cgi->header(); > > I can see that something along these lines is needed for CheckIfVotedConfirmed. > But in show_user it happens again. Am I missing something? ... is all right (see https://bugzilla.mozilla.org/show_bug.cgi?id=277013#c3).
Flags: approval?
I tested the critical case where the URL is /votes.cgi?action=show_user&user= when the user is *not* logged in, because of the test my $canedit = (Param('usevotes') && $userid == $who) ? 1 : 0; In this case, neither the current user nor the user in the URL (empty actually) are defined and I just tested if ($userid == $who) is true in this case, which would be bad. Fortunately, DBNameToIdAndCheck() complains first on the trunk... but an error message is displayed in the 2.18 branch!? I'm not sure why but I suspect the _create() subroutine in User.pm to be the reason as this subroutine changed between 2.18 and 2.19. ( I hope not to introduce another regression as I already did once :( )
Attachment #171066 - Flags: review?(wurblzap)
Attachment #171066 - Flags: review?(wurblzap) → review+
Flags: approval2.18?
Whiteboard: patch awaiting approval
Flags: approval? → approval+
I'm not checking this in until the approved2.18? is either approved or goes away (in case you're wondering what the holdup is).
Flags: approval2.18? → approval2.18+
2.18: Checking in votes.cgi; /cvsroot/mozilla/webtools/bugzilla/votes.cgi,v <-- votes.cgi new revision: 1.17.2.3; previous revision: 1.17.2.2 done Checking in template/en/default/bug/votes/list-for-user.html.tmpl; /cvsroot/mozilla/webtools/bugzilla/template/en/default/bug/votes/list-for- user.html.tmpl,v <-- list-for-user.html.tmpl new revision: 1.15.2.2; previous revision: 1.15.2.1 done Tip: Checking in votes.cgi; /cvsroot/mozilla/webtools/bugzilla/votes.cgi,v <-- votes.cgi new revision: 1.22; previous revision: 1.21 done Checking in template/en/default/bug/votes/list-for-user.html.tmpl; /cvsroot/mozilla/webtools/bugzilla/template/en/default/bug/votes/list-for- user.html.tmpl,v <-- list-for-user.html.tmpl new revision: 1.17; previous revision: 1.16 done
Status: ASSIGNED → RESOLVED
Closed: 21 years ago
Resolution: --- → FIXED
Whiteboard: patch awaiting approval
QA Contact: matty_is_a_geek → default-qa
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: