Last Comment Bug 39526 - show_activity.cgi doesn't check viewing permissions
: show_activity.cgi doesn't check viewing permissions
Status: RESOLVED FIXED
security
:
Product: Bugzilla
Classification: Server Software
Component: Bugzilla-General (show other bugs)
: unspecified
: Other Other
: P3 normal (vote)
: Bugzilla 2.14
Assigned To: Myk Melez [:myk] [@mykmelez]
: default-qa
Mentors:
http://bugzilla.mozilla.org/show_acti...
: 94476 (view as bug list)
Depends on:
Blocks: 66091
  Show dependency treegraph
 
Reported: 2000-05-16 17:01 PDT by Jesse Ruderman
Modified: 2012-12-18 20:46 PST (History)
4 users (show)
See Also:
QA Whiteboard:
Iteration: ---
Points: ---


Attachments
patch to validate bug ID and check permissions to view bug (2.79 KB, patch)
2001-05-29 15:27 PDT, Myk Melez [:myk] [@mykmelez]
no flags Details | Diff | Splinter Review
patch that abstracts out bug ID validation (3.72 KB, patch)
2001-05-29 16:08 PDT, Myk Melez [:myk] [@mykmelez]
no flags Details | Diff | Splinter Review
patch w/o CGI.pl for installations that have already installed the patch for bug 39524 (1.69 KB, patch)
2001-05-30 17:00 PDT, Myk Melez [:myk] [@mykmelez]
no flags Details | Diff | Splinter Review

Description Jesse Ruderman 2000-05-16 17:01:01 PDT
http://bugzilla.mozilla.org/show_bug.cgi?id=28698 gives "permission denied".
http://bugzilla.mozilla.org/show_activity.cgi?id=28698 is visible.
Comment 1 Dave Miller [:justdave] (justdave@bugzilla.org) 2001-02-27 19:02:30 PST
moving to real milestones...
Comment 2 Myk Melez [:myk] [@mykmelez] 2001-05-29 15:27:17 PDT
Created attachment 36416 [details] [diff] [review]
patch to validate bug ID and check permissions to view bug
Comment 3 Myk Melez [:myk] [@mykmelez] 2001-05-29 16:08:11 PDT
Created attachment 36433 [details] [diff] [review]
patch that abstracts out bug ID validation
Comment 4 Myk Melez [:myk] [@mykmelez] 2001-05-29 16:10:04 PDT
This second patch puts most of the validation code into a separate function in
CGI.pl so it can be used by other scripts that need to do bug ID validation
(like bug 39524, bug 39527, etc.).
Comment 5 Dave Miller [:justdave] (justdave@bugzilla.org) 2001-05-29 16:18:23 PDT
The check for the user belonging to the product group is unnecessary.  That's 
included in the groupset on the bug itself.  It is possible to clear the product 
group bit on a bug that's in a product that has a group, and this would prevent 
people from seeing it then.
Comment 6 Myk Melez [:myk] [@mykmelez] 2001-05-30 17:00:03 PDT
Created attachment 36584 [details] [diff] [review]
patch w/o CGI.pl for installations that have already installed the patch for bug 39524
Comment 7 Myk Melez [:myk] [@mykmelez] 2001-05-30 18:22:19 PDT
accepting
Comment 8 Myk Melez [:myk] [@mykmelez] 2001-05-31 16:00:58 PDT
Adding "review" keyword to get these on the radars of reviewers (if they aren't
already).
Comment 9 Jacob Steenhagen 2001-06-01 06:46:36 PDT
r=jake
Fix checked in.
Comment 10 Myk Melez [:myk] [@mykmelez] 2001-08-09 17:18:57 PDT
*** Bug 94476 has been marked as a duplicate of this bug. ***
Comment 11 Dave Miller [:justdave] (justdave@bugzilla.org) 2001-09-02 23:38:18 PDT
Moving to Bugzilla product

Note You need to log in before you can comment on or make changes to this bug.