As a security precaution, we have turned on the setting "Require API key authentication for API requests" for everyone. If this has broken something, please contact bugzilla-admin@mozilla.org
Last Comment Bug 39526 - show_activity.cgi doesn't check viewing permissions
: show_activity.cgi doesn't check viewing permissions
Status: RESOLVED FIXED
security
:
Product: Bugzilla
Classification: Server Software
Component: Bugzilla-General (show other bugs)
: unspecified
: Other Other
: P3 normal (vote)
: Bugzilla 2.14
Assigned To: Myk Melez [:myk] [@mykmelez]
: default-qa
:
Mentors:
http://bugzilla.mozilla.org/show_acti...
: 94476 (view as bug list)
Depends on:
Blocks: 66091
  Show dependency treegraph
 
Reported: 2000-05-16 17:01 PDT by Jesse Ruderman
Modified: 2012-12-18 20:46 PST (History)
4 users (show)
See Also:
QA Whiteboard:
Iteration: ---
Points: ---


Attachments
patch to validate bug ID and check permissions to view bug (2.79 KB, patch)
2001-05-29 15:27 PDT, Myk Melez [:myk] [@mykmelez]
no flags Details | Diff | Splinter Review
patch that abstracts out bug ID validation (3.72 KB, patch)
2001-05-29 16:08 PDT, Myk Melez [:myk] [@mykmelez]
no flags Details | Diff | Splinter Review
patch w/o CGI.pl for installations that have already installed the patch for bug 39524 (1.69 KB, patch)
2001-05-30 17:00 PDT, Myk Melez [:myk] [@mykmelez]
no flags Details | Diff | Splinter Review

Description User image Jesse Ruderman 2000-05-16 17:01:01 PDT
http://bugzilla.mozilla.org/show_bug.cgi?id=28698 gives "permission denied".
http://bugzilla.mozilla.org/show_activity.cgi?id=28698 is visible.
Comment 1 User image Dave Miller [:justdave] (justdave@bugzilla.org) 2001-02-27 19:02:30 PST
moving to real milestones...
Comment 2 User image Myk Melez [:myk] [@mykmelez] 2001-05-29 15:27:17 PDT
Created attachment 36416 [details] [diff] [review]
patch to validate bug ID and check permissions to view bug
Comment 3 User image Myk Melez [:myk] [@mykmelez] 2001-05-29 16:08:11 PDT
Created attachment 36433 [details] [diff] [review]
patch that abstracts out bug ID validation
Comment 4 User image Myk Melez [:myk] [@mykmelez] 2001-05-29 16:10:04 PDT
This second patch puts most of the validation code into a separate function in
CGI.pl so it can be used by other scripts that need to do bug ID validation
(like bug 39524, bug 39527, etc.).
Comment 5 User image Dave Miller [:justdave] (justdave@bugzilla.org) 2001-05-29 16:18:23 PDT
The check for the user belonging to the product group is unnecessary.  That's 
included in the groupset on the bug itself.  It is possible to clear the product 
group bit on a bug that's in a product that has a group, and this would prevent 
people from seeing it then.
Comment 6 User image Myk Melez [:myk] [@mykmelez] 2001-05-30 17:00:03 PDT
Created attachment 36584 [details] [diff] [review]
patch w/o CGI.pl for installations that have already installed the patch for bug 39524
Comment 7 User image Myk Melez [:myk] [@mykmelez] 2001-05-30 18:22:19 PDT
accepting
Comment 8 User image Myk Melez [:myk] [@mykmelez] 2001-05-31 16:00:58 PDT
Adding "review" keyword to get these on the radars of reviewers (if they aren't
already).
Comment 9 User image Jacob Steenhagen 2001-06-01 06:46:36 PDT
r=jake
Fix checked in.
Comment 10 User image Myk Melez [:myk] [@mykmelez] 2001-08-09 17:18:57 PDT
*** Bug 94476 has been marked as a duplicate of this bug. ***
Comment 11 User image Dave Miller [:justdave] (justdave@bugzilla.org) 2001-09-02 23:38:18 PDT
Moving to Bugzilla product

Note You need to log in before you can comment on or make changes to this bug.