From: <vb...@us...> - 2008-06-05 06:29:12
|
Revision: 5326 http://mantisbt.svn.sourceforge.net/mantisbt/?rev=5326&view=rev Author: vboctor Date: 2008-06-04 23:29:11 -0700 (Wed, 04 Jun 2008) Log Message: ----------- - Fixed #7764: APPLICATION WARNING #100: Configuration option 'category_enum_string' not found. - Remove helper_ensure_post() from tag_detach.php since it is no longer needed. - Add form security tokens for bug group actions. Modified Paths: -------------- branches/BRANCH_1_1_0/mantisbt/bug_actiongroup.php branches/BRANCH_1_1_0/mantisbt/bug_actiongroup_page.php branches/BRANCH_1_1_0/mantisbt/tag_detach.php Modified: branches/BRANCH_1_1_0/mantisbt/bug_actiongroup.php =================================================================== --- branches/BRANCH_1_1_0/mantisbt/bug_actiongroup.php 2008-06-04 19:23:36 UTC (rev 5325) +++ branches/BRANCH_1_1_0/mantisbt/bug_actiongroup.php 2008-06-05 06:29:11 UTC (rev 5326) @@ -53,6 +53,8 @@ $t_custom_field_def = custom_field_get_definition( $f_custom_field_id ); } + $t_first_issue = true; + foreach( $f_bug_arr as $t_bug_id ) { bug_ensure_exists( $t_bug_id ); $t_bug = bug_get( $t_bug_id, true ); @@ -70,6 +72,10 @@ switch ( $f_action ) { case 'CLOSE': + if ( $t_first_issue ) { + form_security_validate( 'bug_close' ); + } + if ( access_can_close_bug( $t_bug_id ) && ( $t_status < CLOSED ) && bug_check_workflow($t_status, CLOSED) ) { @@ -87,6 +93,10 @@ break; case 'DELETE': + if ( $t_first_issue ) { + form_security_validate( 'bug_delete' ); + } + if ( access_has_bug_level( config_get( 'delete_bug_threshold' ), $t_bug_id ) ) { bug_delete( $t_bug_id ); } else { @@ -95,6 +105,10 @@ break; case 'MOVE': + if ( $t_first_issue ) { + form_security_validate( 'bug_move' ); + } + if ( access_has_bug_level( config_get( 'move_bug_threshold' ), $t_bug_id ) ) { # @@@ we need to issue a helper_call_custom_function( 'issue_update_validate', array( $t_bug_id, $t_bug_data, $f_bugnote_text ) ); $f_project_id = gpc_get_int( 'project_id' ); @@ -106,6 +120,10 @@ break; case 'COPY': + if ( $t_first_issue ) { + form_security_validate( 'bug_copy' ); + } + $f_project_id = gpc_get_int( 'project_id' ); if ( access_has_project_level( config_get( 'report_bug_threshold' ), $f_project_id ) ) { @@ -116,6 +134,10 @@ break; case 'ASSIGN': + if ( $t_first_issue ) { + form_security_validate( 'bug_assign' ); + } + $f_assign = gpc_get_int( 'assign' ); if ( ON == config_get( 'auto_set_status_to_assigned' ) ) { $t_assign_status = config_get( 'bug_assigned_status' ); @@ -141,6 +163,10 @@ break; case 'RESOLVE': + if ( $t_first_issue ) { + form_security_validate( 'bug_resolve' ); + } + $t_resolved_status = config_get( 'bug_resolved_status_threshold' ); if ( access_has_bug_level( access_get_status_threshold( $t_resolved_status, bug_get_field( $t_bug_id, 'project_id' ) ), $t_bug_id ) && ( $t_status < $t_resolved_status ) && @@ -161,6 +187,10 @@ break; case 'UP_PRIOR': + if ( $t_first_issue ) { + form_security_validate( 'bug_update_priority' ); + } + if ( access_has_bug_level( config_get( 'update_bug_threshold' ), $t_bug_id ) ) { $f_priority = gpc_get_int( 'priority' ); # @@@ we need to issue a helper_call_custom_function( 'issue_update_validate', array( $t_bug_id, $t_bug_data, $f_bugnote_text ) ); @@ -172,6 +202,10 @@ break; case 'UP_STATUS': + if ( $t_first_issue ) { + form_security_validate( 'bug_update_status' ); + } + $f_status = gpc_get_int( 'status' ); $t_project = bug_get_field( $t_bug_id, 'project_id' ); if ( access_has_bug_level( access_get_status_threshold( $f_status, $t_project ), $t_bug_id ) ) { @@ -188,6 +222,10 @@ break; case 'UP_CATEGORY': + if ( $t_first_issue ) { + form_security_validate( 'bug_update_category' ); + } + $f_category = gpc_get_string( 'category' ); $t_project = bug_get_field( $t_bug_id, 'project_id' ); if ( access_has_bug_level( config_get( 'update_bug_threshold' ), $t_bug_id ) ) { @@ -204,6 +242,10 @@ break; case 'UP_FIXED_IN_VERSION': + if ( $t_first_issue ) { + form_security_validate( 'bug_update_fixed_in_version' ); + } + $f_fixed_in_version = gpc_get_string( 'fixed_in_version' ); $t_project_id = bug_get_field( $t_bug_id, 'project_id' ); $t_success = false; @@ -223,6 +265,10 @@ break; case 'UP_TARGET_VERSION': + if ( $t_first_issue ) { + form_security_validate( 'bug_update_target_version' ); + } + $f_target_version = gpc_get_string( 'target_version' ); $t_project_id = bug_get_field( $t_bug_id, 'project_id' ); $t_success = false; @@ -242,6 +288,10 @@ break; case 'VIEW_STATUS': + if ( $t_first_issue ) { + form_security_validate( 'bug_update_view_status' ); + } + if ( access_has_bug_level( config_get( 'change_view_status_threshold' ), $t_bug_id ) ) { $f_view_status = gpc_get_int( 'view_status' ); # @@@ we need to issue a helper_call_custom_function( 'issue_update_validate', array( $t_bug_id, $t_bug_data, $f_bugnote_text ) ); @@ -253,6 +303,10 @@ break; case 'SET_STICKY': + if ( $t_first_issue ) { + form_security_validate( 'bug_set_sticky' ); + } + if ( access_has_bug_level( config_get( 'set_bug_sticky_threshold' ), $t_bug_id ) ) { $f_sticky = bug_get_field( $t_bug_id, 'sticky' ); // The new value is the inverted old value @@ -269,6 +323,10 @@ trigger_error( ERROR_GENERIC, ERROR ); } + if ( $t_first_issue ) { + form_security_validate( 'bug_update_custom_field_' . $f_custom_field_id ); + } + # @@@ we need to issue a helper_call_custom_function( 'issue_update_validate', array( $t_bug_id, $t_bug_data, $f_bugnote_text ) ); $t_form_var = "custom_field_$f_custom_field_id"; $t_custom_field_value = gpc_get_custom_field( $t_form_var, $t_custom_field_def['type'], null ); @@ -279,6 +337,8 @@ default: trigger_error( ERROR_GENERIC, ERROR ); } + + $t_first_issue = false; } $t_redirect_url = 'view_all_bug_page.php'; Modified: branches/BRANCH_1_1_0/mantisbt/bug_actiongroup_page.php =================================================================== --- branches/BRANCH_1_1_0/mantisbt/bug_actiongroup_page.php 2008-06-04 19:23:36 UTC (rev 5325) +++ branches/BRANCH_1_1_0/mantisbt/bug_actiongroup_page.php 2008-06-05 06:29:11 UTC (rev 5326) @@ -93,18 +93,21 @@ $t_finished = true; $t_question_title = lang_get( 'close_bugs_conf_msg' ); $t_button_title = lang_get( 'close_group_bugs_button' ); + $t_form_name = 'bug_close'; break; case 'DELETE' : $t_finished = true; $t_question_title = lang_get( 'delete_bugs_conf_msg' ); $t_button_title = lang_get( 'delete_group_bugs_button' ); + $t_form_name = 'bug_delete'; break; case 'SET_STICKY' : $t_finished = true; $t_question_title = lang_get( 'set_sticky_bugs_conf_msg' ); $t_button_title = lang_get( 'set_sticky_group_bugs_button' ); + $t_form_name = 'bug_set_sticky'; break; # ...else we define the variables used in the form @@ -112,18 +115,21 @@ $t_question_title = lang_get( 'move_bugs_conf_msg' ); $t_button_title = lang_get( 'move_group_bugs_button' ); $t_form = 'project_id'; + $t_form_name = 'bug_move'; break; case 'COPY' : $t_question_title = lang_get( 'copy_bugs_conf_msg' ); $t_button_title = lang_get( 'copy_group_bugs_button' ); $t_form = 'project_id'; + $t_form_name = 'bug_copy'; break; case 'ASSIGN' : $t_question_title = lang_get( 'assign_bugs_conf_msg' ); $t_button_title = lang_get( 'assign_group_bugs_button' ); $t_form = 'assign'; + $t_form_name = 'bug_assign'; break; case 'RESOLVE' : @@ -135,6 +141,7 @@ $t_question_title2 = lang_get( 'fixed_in_version' ); $t_form2 = 'fixed_in_version'; } + $t_form_name = 'bug_resolve'; break; case 'UP_PRIOR' : @@ -142,6 +149,7 @@ $t_button_title = lang_get( 'priority_group_bugs_button' ); $t_form = 'priority'; $t_request = 'priority'; + $t_form_name = 'bug_update_priority'; break; case 'UP_STATUS' : @@ -149,34 +157,35 @@ $t_button_title = lang_get( 'status_group_bugs_button' ); $t_form = 'status'; $t_request = 'status'; + $t_form_name = 'bug_update_status'; break; case 'UP_CATEGORY' : $t_question_title = lang_get( 'category_bugs_conf_msg' ); $t_button_title = lang_get( 'category_group_bugs_button' ); $t_form = 'category'; - $t_request = 'category'; + $t_form_name = 'bug_update_category'; break; case 'VIEW_STATUS' : $t_question_title = lang_get( 'view_status_bugs_conf_msg' ); $t_button_title = lang_get( 'view_status_group_bugs_button' ); - $t_form = 'view_status'; - $t_request = 'view_status'; + $t_form = 'view_status'; + $t_form_name = 'bug_update_view_status'; break; case 'UP_FIXED_IN_VERSION': $t_question_title = lang_get( 'fixed_in_version_bugs_conf_msg' ); $t_button_title = lang_get( 'fixed_in_version_group_bugs_button' ); $t_form = 'fixed_in_version'; - $t_request = 'fixed_in_version'; + $t_form_name = 'bug_update_fixed_in_version'; break; case 'UP_TARGET_VERSION': $t_question_title = lang_get( 'target_version_bugs_conf_msg' ); $t_button_title = lang_get( 'target_version_group_bugs_button' ); $t_form = 'target_version'; - $t_request = 'target_version'; + $t_form_name = 'bug_update_target_version'; break; case 'CUSTOM' : @@ -184,6 +193,7 @@ $t_question_title = sprintf( lang_get( 'actiongroup_menu_update_field' ), lang_get_defaulted( $t_custom_field_def['name'] ) ); $t_button_title = $t_question_title; $t_form = "custom_field_$t_custom_field_id"; + $t_form_name = 'bug_update_custom_field_' . $t_custom_field_id; break; default: @@ -201,6 +211,11 @@ <div align="center"> <form method="post" action="bug_actiongroup.php"> +<?php +if ( !is_blank( $t_form_name ) ) { + echo form_security_field( $t_form_name ); +} +?> <input type="hidden" name="action" value="<?php echo string_attribute( $f_action ) ?>" /> <?php bug_group_action_print_hidden_fields( $f_bug_arr ); Modified: branches/BRANCH_1_1_0/mantisbt/tag_detach.php =================================================================== --- branches/BRANCH_1_1_0/mantisbt/tag_detach.php 2008-06-04 19:23:36 UTC (rev 5325) +++ branches/BRANCH_1_1_0/mantisbt/tag_detach.php 2008-06-05 06:29:11 UTC (rev 5326) @@ -27,8 +27,6 @@ require_once( $t_core_path . 'tag_api.php' ); - helper_ensure_post(); - $f_tag_id = gpc_get_int( 'tag_id' ); $f_bug_id = gpc_get_int( 'bug_id' ); $t_user_id = auth_get_current_user_id(); This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site. |