[Rt-commit] rt branch, master, updated. rt-4.0.8-759-g9227a65
Alex Vandiver
alexmv at bestpractical.com
Mon Dec 3 15:52:22 EST 2012
The branch, master has been updated
via 9227a65159da7ac9e5620dbb52ea94f7614434e8 (commit)
via 24492504ec8f21d73339738b52979dbe1668cdd4 (commit)
via 1fbb632972e7581d7d43c3f0cb3f607b12e76234 (commit)
via 2b89931f6aff7b5c8175d09ececd578183e503a2 (commit)
via bbe0de9dfb28db947e9f6ece14f5592bd5b3dc06 (commit)
via 5b4458d9096fa84dd977898dba1ba8dd53678d99 (commit)
via 449b19f6fbc6839c3c6e7564462d9c6ada4e0aed (commit)
via d10751b790a489583a37c9579724ed11f18ad08f (commit)
via e301feebe9d664d07a0e00295f7c6ae1de9da2ee (commit)
via 9f5840fd64ae260829db947c4b7ec6e81b09fbe9 (commit)
via 1021ea716ae33535a3776dc9baee66eabae89f5e (commit)
via 09db186a0fbfa70eded2054e215e120ebc6eae7c (commit)
via 7451d9998c30e569ecc300c0751fe8034f173931 (commit)
via 155e65849b0940b7db5dfbb7e9be4a60b5bccda1 (commit)
via 92cefb5d449037ad8b07f4a5f74df1b3e85c7352 (commit)
via cb7bbd64290b0ada5166dd350d4404132f33d406 (commit)
via 53ec4071e2ae1b7e52f1e5d5ee89cff3fee625b2 (commit)
via 7c5822116d395c571fca8b6f59c4c82e10e6cc5e (commit)
via 07d7575cef1ad5fdad370dd757393b6d9be44ce6 (commit)
via b63bcd842e8995c0386fe91b460976bc1d66315d (commit)
via 5fb0630bf0239cfef9b9cbe0b2e2b44c14b83e02 (commit)
via 532e0dfcb770bd06c8df608e24b16d92d68ff1e4 (commit)
via a302974b0fc22ae458d7932d3aea6af5826cdce9 (commit)
via 76dd77131cde231ebd41194194cfb425b34a405f (commit)
via 74d3205567d2c52549a7db68a7fd9e28499a65ef (commit)
via 9cfe4b0427ba15712f3b3eb34afb393daee9678a (commit)
via 821d5b35e32436aab975954699a0e736b6f6d67a (commit)
via 5fbdbd6b8390d59c6ee0fe2eb02a80f8feb34b1a (commit)
via 9e81ab62235201213e9357b7390d1766f4121e68 (commit)
via 22099a1b5a515870be82429cd7872d4c68485a9b (commit)
via 9dde3f545880266a019f09afa155e23a64394208 (commit)
via fb13e4dfe70cbaeb3f7a8a22269a30db47884255 (commit)
via d2f4e770c67baabbed167d78f95500cffd8817a4 (commit)
via 3d2987ff6c7c477011c4f090c686f678ccbe84b5 (commit)
via 47af9f4433f40d70532428c220d37539e3a141df (commit)
via c5a2b457abd855e238d58247a43e77131cc7c7f2 (commit)
via 6977b6e241586b5f69d981f441b5ef94b613591f (commit)
via 2af173931da0b61c2aacd75cc01b47ce7e25e546 (commit)
via 824c63cc3e7be2c3a05e54f9ffe0e143c65ebab5 (commit)
via 31269e198ed2de2002bf55d9f9f857950955abea (commit)
via e3a2ea8b8bca78dde8740ca91ebcf6f7acf5b148 (commit)
via 292ac539c6fb4922eab67b681bd843c61678f05d (commit)
via 178dd6f2a1fa606ea497947ffda420d2715b9a73 (commit)
via b4aff021d431df0d31b23240081c115b48c72f43 (commit)
via 6d07690c1fa2584fe4fbe048bab6fa67cb7a51af (commit)
via 2d290a344d42752112e954f49ec03d4e0852ec16 (commit)
via 62116eee6ccf8f40f812229c58b42374b1aadf03 (commit)
via 5585cbb69fa82aafba77e2bb5f66ad5ae8d194b1 (commit)
via f39d2a0eec75b2411c7f6ca1e9520fbe332b9593 (commit)
via ff7e413261a02bfba66f6dfc304162050d6a9715 (commit)
via b28951e6a0dfe20be9b3ac5a29d2296905498b62 (commit)
via 80bf39f55afdefc9c4e0c695bca0120256446bad (commit)
via 15d4da6fb6707f26228c301cd33cbb2210c0dd41 (commit)
via da1736e54204ec7dd09edf444a8cc03737058ed5 (commit)
via a64a16d1cf32a0fc2d9ca298e7323891759ae739 (commit)
via 3d91316bfc2e0e7690c2cecef549e7d8dda1b85e (commit)
via db2a6ae274a580644ac96ed88850168c9283a4f0 (commit)
via 6d9a25d3c8c9d3dfc0df241579e7e4eca406265a (commit)
via 6ec04b549b4716b192c4b11490567204e16a872b (commit)
via 87115bba26663f747c6bcb9657f0a31480df3a38 (commit)
via 9ac4d62d11547ce47c8493b42d96757719244ed2 (commit)
via 8b52964b85736a035513712d036327e47f619d1f (commit)
via 67d3a052f668c0eb0df4f7165e4914e50c5f74f2 (commit)
via 0d3f239895d3fe07dbdd36bb28c201b9611f1a35 (commit)
via befe72e46b122285b7cfec4230f2b0ba3cbac9da (commit)
via e904afe26e55c216db1716be5ec0e17aaa3ce65a (commit)
via 9189e6989c6a78aa52b024e0027be2e04217aeb6 (commit)
via 348f1b76a54d9212b0c310f388050746e6a1d143 (commit)
via 1a7e87b7083a995c0040fd317e0ee65c4ac46ba6 (commit)
via c32d728a0f56d7a42e054e710c2abfd91d7230d2 (commit)
via ddece420ba49ee2cbed760cab028cb3dce36ae51 (commit)
via d24effb1afc31a6afc7c5924bdce3873c37169c0 (commit)
via 81df7e2d07c35834b670e0e41adf677cd15affb5 (commit)
via 19721b8012776f5ae523e27f07b6dac06ad1dded (commit)
via 12b0fded547c53c79db4f5a2e2f049b5f397d387 (commit)
via 0f3d6b4afa982f35ca444c6417b8223c92a87096 (commit)
via ea553805004e2fe114778029939aaf2d2c4670d5 (commit)
from b79c06b7a9008f6282ff07dcc8b612b83aaf94fc (commit)
Summary of changes:
bin/rt.in | 2 +-
docs/customizing/articles_introduction.pod | 86 ++---
etc/upgrade/4.0.9/content | 33 ++
lib/RT/Action/Autoreply.pm | 2 +-
lib/RT/Article.pm | 8 -
lib/RT/Attachment.pm | 2 +-
lib/RT/CurrentUser.pm | 9 +-
lib/RT/CustomField.pm | 7 +-
lib/RT/EmailParser.pm | 2 +-
lib/RT/Group.pm | 2 +-
lib/RT/Groups.pm | 4 +-
lib/RT/Interface/CLI.pm | 2 +-
lib/RT/Interface/Email.pm | 10 +-
lib/RT/Interface/REST.pm | 3 +-
lib/RT/Interface/Web.pm | 7 +-
lib/RT/ObjectCustomFieldValues.pm | 4 +-
lib/RT/Queue.pm | 24 +-
lib/RT/Record.pm | 54 ++--
lib/RT/SQL.pm | 2 +-
lib/RT/SavedSearch.pm | 22 ++
lib/RT/Scrip.pm | 8 +-
lib/RT/ScripCondition.pm | 4 +-
lib/RT/Test.pm | 5 +
lib/RT/Ticket.pm | 73 +++--
lib/RT/Tickets.pm | 8 +-
lib/RT/Transaction.pm | 40 +--
lib/RT/Users.pm | 2 +-
sbin/rt-fulltext-indexer.in | 9 +-
share/html/Admin/Elements/ModifyTemplate | 7 +-
share/html/Admin/Global/Template.html | 5 +-
share/html/Admin/Queues/Modify.html | 3 +-
share/html/Admin/Queues/Template.html | 5 +-
share/html/Articles/Article/PreCreate.html | 1 +
share/html/Articles/Article/Search.html | 2 +-
share/html/Elements/ColumnMap | 18 +-
share/html/Elements/RT__CustomField/ColumnMap | 4 +-
share/html/Elements/ShowSearch | 10 +-
share/html/Elements/Tabs | 362 +++++++++++-----------
share/html/NoAuth/css/aileron/nav.css | 1 +
share/html/Prefs/Search.html | 2 +-
share/html/REST/1.0/Forms/ticket/comment | 5 +-
share/html/REST/1.0/Forms/ticket/default | 3 +-
share/html/REST/1.0/ticket/comment | 5 +-
share/html/Search/Build.html | 2 +-
share/html/Search/Results.html | 5 +
share/html/m/_elements/raw_style | 4 +-
share/html/m/ticket/reply | 8 +-
t/customfields/api.t | 27 +-
t/security/CVE-2011-2083-cf-urls.t | 48 +++
t/security/CVE-2011-2083-clickable-xss.t | 52 ++++
t/security/CVE-2011-2083-scrub.t | 18 ++
t/security/CVE-2011-2084-attach-tickets.t | 64 ++++
t/security/CVE-2011-2084-cf-values.t | 132 ++++++++
t/security/CVE-2011-2084-modifyscrips-templates.t | 133 ++++++++
t/security/CVE-2011-2084-transactions.t | 59 ++++
t/security/CVE-2011-4458-verp.t | 48 +++
t/security/CVE-2011-4460-rows-per-page.t | 32 ++
t/security/CVE-2011-5092-datetimeformat.t | 48 +++
t/security/CVE-2011-5092-graph-links.t | 27 ++
t/security/CVE-2011-5092-installmode.t | 24 ++
t/security/CVE-2011-5092-localizeddatetime.t | 30 ++
t/security/CVE-2011-5092-prefs.t | 77 +++++
t/security/CVE-2011-5093-execute-code.t | 53 ++++
t/{mail => security}/fake-sendmail | 5 +-
t/ticket/search.t | 11 +-
t/web/admin_queue_lifecycle.t | 49 +++
t/web/command_line_cf_edge_cases.t | 87 ++++++
t/web/custom_frontpage.t | 21 +-
t/web/html_template.t | 2 +-
69 files changed, 1552 insertions(+), 381 deletions(-)
create mode 100644 etc/upgrade/4.0.9/content
create mode 100644 t/security/CVE-2011-2083-cf-urls.t
create mode 100644 t/security/CVE-2011-2083-clickable-xss.t
create mode 100644 t/security/CVE-2011-2083-scrub.t
create mode 100644 t/security/CVE-2011-2084-attach-tickets.t
create mode 100644 t/security/CVE-2011-2084-cf-values.t
create mode 100644 t/security/CVE-2011-2084-modifyscrips-templates.t
create mode 100644 t/security/CVE-2011-2084-transactions.t
create mode 100644 t/security/CVE-2011-4458-verp.t
create mode 100644 t/security/CVE-2011-4460-rows-per-page.t
create mode 100644 t/security/CVE-2011-5092-datetimeformat.t
create mode 100644 t/security/CVE-2011-5092-graph-links.t
create mode 100644 t/security/CVE-2011-5092-installmode.t
create mode 100644 t/security/CVE-2011-5092-localizeddatetime.t
create mode 100644 t/security/CVE-2011-5092-prefs.t
create mode 100644 t/security/CVE-2011-5093-execute-code.t
copy t/{mail => security}/fake-sendmail (77%)
create mode 100644 t/web/admin_queue_lifecycle.t
create mode 100644 t/web/command_line_cf_edge_cases.t
- Log -----------------------------------------------------------------
commit 1fbb632972e7581d7d43c3f0cb3f607b12e76234
Merge: b79c06b 2b89931
Author: Alex Vandiver <alexmv at bestpractical.com>
Date: Mon Dec 3 14:58:50 2012 -0500
Merge branch '4.0-trunk'
Adjusted etc/upgrade/4.0.9/content to pass tests.
t/security/CVE-2011-2084-modifyscrips-templates.t fails because of
apply-scrips-to-multiple-queues and templates-as-name; see the following
commit.
Conflicts:
lib/RT/Article.pm
lib/RT/Record.pm
lib/RT/Ticket.pm
share/html/Elements/Tabs
share/html/Ticket/ModifyAll.html
diff --cc etc/upgrade/4.0.9/content
index 0000000,1ec322e..fb7cfbf
mode 000000,100644..100644
--- a/etc/upgrade/4.0.9/content
+++ b/etc/upgrade/4.0.9/content
@@@ -1,0 -1,30 +1,33 @@@
- at Final = (
++use strict;
++use warnings;
++
++our @Final = (
+ sub {
- $RT::Logger->debug(
++ RT->Logger->debug(
+ 'Going to update empty Queue Lifecycle column to "default"');
+
+ my $queues = RT::Queues->new( RT->SystemUser );
+ $queues->FindAllRows;
+ $queues->Limit(
+ FIELD => 'Lifecycle',
+ OPERATOR => 'IS',
+ VALUE => 'NULL',
+ );
+
+ $queues->Limit(
+ FIELD => 'Lifecycle',
+ VALUE => '',
+ ENTRYAGGREGATOR => 'OR',
+ );
+
+ $queues->Limit(
+ FIELD => 'Lifecycle',
+ VALUE => 0,
+ ENTRYAGGREGATOR => 'OR',
+ );
+
+ while ( my $q = $queues->Next ) {
+ $q->SetLifecycle('default');
+ }
+ }
+ );
diff --cc lib/RT/Article.pm
index e82977b,58dd94b..eaca9b5
--- a/lib/RT/Article.pm
+++ b/lib/RT/Article.pm
@@@ -610,20 -611,6 +610,12 @@@ sub CustomFieldLookupType
"RT::Class-RT::Article";
}
- # _LookupId is the id of the toplevel type object the customfield is joined to
- # in this case, that's an RT::Class.
-
- sub _LookupId {
- my $self = shift;
- return $self->ClassObj->id;
-
- }
+
+sub ACLEquivalenceObjects {
+ my $self = shift;
+ return $self->ClassObj;
+}
+
=head2 LoadByInclude Field Value
Takes the name of a form field from "Include Article"
diff --cc lib/RT/Ticket.pm
index ecb0f93,47e61e9..b0f3dcd
--- a/lib/RT/Ticket.pm
+++ b/lib/RT/Ticket.pm
@@@ -651,8 -779,237 +651,40 @@@ sub _Parse822HeadersForAttributes
return (%args);
}
-
-
-=head2 Import PARAMHASH
-
-Import a ticket.
-Doesn't create a transaction.
-Doesn't supply queue defaults, etc.
-
-Returns: TICKETID
-
-=cut
-
-sub Import {
- my $self = shift;
- my ( $ErrStr, $QueueObj, $Owner );
-
- my %args = (
- id => undef,
- EffectiveId => undef,
- Queue => undef,
- Requestor => undef,
- Type => 'ticket',
- Owner => RT->Nobody->Id,
- Subject => '[no subject]',
- InitialPriority => undef,
- FinalPriority => undef,
- Status => 'new',
- TimeWorked => "0",
- Due => undef,
- Created => undef,
- Updated => undef,
- Resolved => undef,
- Told => undef,
- @_
- );
-
- if ( ( defined( $args{'Queue'} ) ) && ( !ref( $args{'Queue'} ) ) ) {
- $QueueObj = RT::Queue->new(RT->SystemUser);
- $QueueObj->Load( $args{'Queue'} );
-
- #TODO error check this and return 0 if it's not loading properly +++
- }
- elsif ( ref( $args{'Queue'} ) eq 'RT::Queue' ) {
- $QueueObj = RT::Queue->new(RT->SystemUser);
- $QueueObj->Load( $args{'Queue'}->Id );
- }
- else {
- $RT::Logger->debug(
- "$self " . $args{'Queue'} . " not a recognised queue object." );
- }
-
- #Can't create a ticket without a queue.
- unless ( defined($QueueObj) and $QueueObj->Id ) {
- $RT::Logger->debug("$self No queue given for ticket creation.");
- return ( 0, $self->loc('Could not create ticket. Queue not set') );
- }
-
- #Now that we have a queue, Check the ACLS
- unless (
- $self->CurrentUser->HasRight(
- Right => 'CreateTicket',
- Object => $QueueObj
- )
- )
- {
- return ( 0,
- $self->loc("No permission to create tickets in the queue '[_1]'"
- , $QueueObj->Name));
- }
-
- # Deal with setting the owner
-
- # Attempt to take user object, user name or user id.
- # Assign to nobody if lookup fails.
- if ( defined( $args{'Owner'} ) ) {
- if ( ref( $args{'Owner'} ) ) {
- $Owner = $args{'Owner'};
- }
- else {
- $Owner = RT::User->new( $self->CurrentUser );
- $Owner->Load( $args{'Owner'} );
- if ( !defined( $Owner->id ) ) {
- $Owner->Load( RT->Nobody->id );
- }
- }
- }
-
- #If we have a proposed owner and they don't have the right
- #to own a ticket, scream about it and make them not the owner
- if (
- ( defined($Owner) )
- and ( $Owner->Id != RT->Nobody->Id )
- and (
- !$Owner->HasRight(
- Object => $QueueObj,
- Right => 'OwnTicket'
- )
- )
- )
- {
-
- $RT::Logger->warning( "$self user "
- . $Owner->Name . "("
- . $Owner->id
- . ") was proposed "
- . "as a ticket owner but has no rights to own "
- . "tickets in '"
- . $QueueObj->Name . "'" );
-
- $Owner = undef;
- }
-
- #If we haven't been handed a valid owner, make it nobody.
- unless ( defined($Owner) ) {
- $Owner = RT::User->new( $self->CurrentUser );
- $Owner->Load( RT->Nobody->UserObj->Id );
- }
-
- # }}}
-
- unless ( $self->ValidateStatus( $args{'Status'} ) ) {
- return ( 0, $self->loc("'[_1]' is an invalid value for status", $args{'Status'}) );
- }
-
- $self->{'_AccessibleCache'}{Created} = { 'read' => 1, 'write' => 1 };
- $self->{'_AccessibleCache'}{Creator} = { 'read' => 1, 'auto' => 1 };
- $self->{'_AccessibleCache'}{LastUpdated} = { 'read' => 1, 'write' => 1 };
- $self->{'_AccessibleCache'}{LastUpdatedBy} = { 'read' => 1, 'auto' => 1 };
-
- # If we're coming in with an id, set that now.
- my $EffectiveId = undef;
- if ( $args{'id'} ) {
- $EffectiveId = $args{'id'};
-
- }
-
- my $id = $self->SUPER::Create(
- id => $args{'id'},
- EffectiveId => $EffectiveId,
- Queue => $QueueObj->Id,
- Owner => $Owner->Id,
- Subject => $args{'Subject'}, # loc
- InitialPriority => $args{'InitialPriority'}, # loc
- FinalPriority => $args{'FinalPriority'}, # loc
- Priority => $args{'InitialPriority'}, # loc
- Status => $args{'Status'}, # loc
- TimeWorked => $args{'TimeWorked'}, # loc
- Type => $args{'Type'}, # loc
- Created => $args{'Created'}, # loc
- Told => $args{'Told'}, # loc
- LastUpdated => $args{'Updated'}, # loc
- Resolved => $args{'Resolved'}, # loc
- Due => $args{'Due'}, # loc
- );
-
- # If the ticket didn't have an id
- # Set the ticket's effective ID now that we've created it.
- if ( $args{'id'} ) {
- $self->Load( $args{'id'} );
- }
- else {
- my ( $val, $msg ) =
- $self->__Set( Field => 'EffectiveId', Value => $id );
-
- unless ($val) {
- $RT::Logger->err(
- $self . "->Import couldn't set EffectiveId: $msg" );
- }
- }
-
- my $create_groups_ret = $self->_CreateTicketGroups();
- unless ($create_groups_ret) {
- $RT::Logger->crit(
- "Couldn't create ticket groups for ticket " . $self->Id );
- }
-
- $self->OwnerGroup->_AddMember( PrincipalId => $Owner->PrincipalId );
-
- foreach my $watcher ( @{ $args{'Cc'} } ) {
- $self->_AddWatcher( Type => 'Cc', Email => $watcher, Silent => 1 );
- }
- foreach my $watcher ( @{ $args{'AdminCc'} } ) {
- $self->_AddWatcher( Type => 'AdminCc', Email => $watcher,
- Silent => 1 );
- }
- foreach my $watcher ( @{ $args{'Requestor'} } ) {
- $self->_AddWatcher( Type => 'Requestor', Email => $watcher,
- Silent => 1 );
- }
-
- return ( $self->Id, $ErrStr );
-}
-
-
-
-
+ =head2 _CreateTicketGroups
+
+ Create the ticket groups and links for this ticket.
+ This routine expects to be called from Ticket->Create _inside of a transaction_
+
+ It will create four groups for this ticket: Requestor, Cc, AdminCc and Owner.
+
+ It will return true on success and undef on failure.
+
+
+ =cut
+
+
+ sub _CreateTicketGroups {
+ my $self = shift;
+
+ my @types = (qw(Requestor Owner Cc AdminCc));
+
+ foreach my $type (@types) {
+ my $type_obj = RT::Group->new($self->CurrentUser);
+ my ($id, $msg) = $type_obj->CreateRoleGroup(Domain => 'RT::Ticket-Role',
+ Instance => $self->Id,
+ Type => $type);
+ unless ($id) {
+ $RT::Logger->error("Couldn't create a ticket group of type '$type' for ticket ".
+ $self->Id.": ".$msg);
+ return(undef);
+ }
+ }
+ return(1);
+
+ }
-
=head2 OwnerGroup
A constructor which returns an RT::Group object containing the owner of this ticket.
diff --cc share/html/Elements/Tabs
index 73ce15d,bdf89fe..4624095
--- a/share/html/Elements/Tabs
+++ b/share/html/Elements/Tabs
@@@ -284,29 -269,31 +284,31 @@@ my $build_admin_menu = sub
my $queue_obj = RT::Queue->new( $session{'CurrentUser'} );
$queue_obj->Load($id);
- my $queue = PageMenu();
- $queue->child( basics => title => loc('Basics'), path => "/Admin/Queues/Modify.html?id=" . $id );
- $queue->child( people => title => loc('Watchers'), path => "/Admin/Queues/People.html?id=" . $id );
+ if ( $queue_obj and $queue_obj->id ) {
+ my $queue = PageMenu();
+ $queue->child( basics => title => loc('Basics'), path => "/Admin/Queues/Modify.html?id=" . $id );
+ $queue->child( people => title => loc('Watchers'), path => "/Admin/Queues/People.html?id=" . $id );
- my $templates = $queue->child(templates => title => loc('Templates'), path => "/Admin/Queues/Templates.html?id=" . $id);
- $templates->child( select => title => loc('Select'), path => "/Admin/Queues/Templates.html?id=".$id);
- $templates->child( create => title => loc('Create'), path => "/Admin/Queues/Template.html?Create=1;Queue=".$id);
+ my $templates = $queue->child(templates => title => loc('Templates'), path => "/Admin/Queues/Templates.html?id=" . $id);
+ $templates->child( select => title => loc('Select'), path => "/Admin/Queues/Templates.html?id=".$id);
+ $templates->child( create => title => loc('Create'), path => "/Admin/Queues/Template.html?Create=1;Queue=".$id);
- my $scrips = $queue->child( scrips => title => loc('Scrips'), path => "/Admin/Queues/Scrips.html?id=" . $id);
- $scrips->child( select => title => loc('Select'), path => "/Admin/Queues/Scrips.html?id=" . $id );
- $scrips->child( create => title => loc('Create'), path => "/Admin/Scrips/Create.html?Queue=" . $id);
+ my $scrips = $queue->child( scrips => title => loc('Scrips'), path => "/Admin/Queues/Scrips.html?id=" . $id);
+ $scrips->child( select => title => loc('Select'), path => "/Admin/Queues/Scrips.html?id=" . $id );
- $scrips->child( create => title => loc('Create'), path => "/Admin/Queues/Scrip.html?Create=1;Queue=" . $id);
++ $scrips->child( create => title => loc('Create'), path => "/Admin/Scrips/Create.html?Queue=" . $id);
- my $ticket_cfs = $queue->child( 'ticket-custom-fields' => title => loc('Ticket Custom Fields'),
- path => '/Admin/Queues/CustomFields.html?SubType=RT::Ticket&id=' . $id );
+ my $ticket_cfs = $queue->child( 'ticket-custom-fields' => title => loc('Ticket Custom Fields'),
+ path => '/Admin/Queues/CustomFields.html?SubType=RT::Ticket&id=' . $id );
- my $txn_cfs = $queue->child( 'transaction-custom-fields' => title => loc('Transaction Custom Fields'),
- path => '/Admin/Queues/CustomFields.html?SubType=RT::Ticket-RT::Transaction&id='.$id );
+ my $txn_cfs = $queue->child( 'transaction-custom-fields' => title => loc('Transaction Custom Fields'),
+ path => '/Admin/Queues/CustomFields.html?SubType=RT::Ticket-RT::Transaction&id='.$id );
- $queue->child( 'group-rights' => title => loc('Group Rights'), path => "/Admin/Queues/GroupRights.html?id=".$id );
- $queue->child( 'user-rights' => title => loc('User Rights'), path => "/Admin/Queues/UserRights.html?id=" . $id );
+ $queue->child( 'group-rights' => title => loc('Group Rights'), path => "/Admin/Queues/GroupRights.html?id=".$id );
+ $queue->child( 'user-rights' => title => loc('User Rights'), path => "/Admin/Queues/UserRights.html?id=" . $id );
- $m->callback( CallbackName => 'PrivilegedQueue', queue_id => $id, page_menu => $queue);
+ $m->callback( CallbackName => 'PrivilegedQueue', queue_id => $id, page_menu => $queue);
+ }
}
}
if ( $request_path =~ m{^/Admin/Users} ) {
@@@ -315,17 -302,15 +317,19 @@@
my $obj = RT::User->new( $session{'CurrentUser'} );
$obj->Load($id);
- my $tabs = PageMenu();
- $tabs->child( basics => title => loc('Basics'), path => "/Admin/Users/Modify.html?id=" . $id );
- $tabs->child( memberships => title => loc('Memberships'), path => "/Admin/Users/Memberships.html?id=" . $id );
- $tabs->child( history => title => loc('History'), path => "/Admin/Users/History.html?id=" . $id );
- $tabs->child( 'my-rt' => title => loc('RT at a glance'), path => "/Admin/Users/MyRT.html?id=" . $id );
- $tabs->child( 'dashboards-in-menu' =>
- title => loc('Dashboards in menu'),
- path => '/Admin/Users/DashboardsInMenu.html?id=' . $id,
- );
- if ( RT->Config->Get('GnuPG')->{'Enable'} ) {
- $tabs->child( pgp => title => loc('GnuPG'), path => "/Admin/Users/GnuPG.html?id=" . $id );
+ if ( $obj and $obj->id ) {
+ my $tabs = PageMenu();
+ $tabs->child( basics => title => loc('Basics'), path => "/Admin/Users/Modify.html?id=" . $id );
+ $tabs->child( memberships => title => loc('Memberships'), path => "/Admin/Users/Memberships.html?id=" . $id );
+ $tabs->child( history => title => loc('History'), path => "/Admin/Users/History.html?id=" . $id );
+ $tabs->child( 'my-rt' => title => loc('RT at a glance'), path => "/Admin/Users/MyRT.html?id=" . $id );
++ $tabs->child( 'dashboards-in-menu' =>
++ title => loc('Dashboards in menu'),
++ path => '/Admin/Users/DashboardsInMenu.html?id=' . $id,
++ );
+ if ( RT->Config->Get('GnuPG')->{'Enable'} ) {
+ $tabs->child( pgp => title => loc('GnuPG'), path => "/Admin/Users/GnuPG.html?id=" . $id );
+ }
}
}
@@@ -337,12 -322,14 +341,14 @@@
my $obj = RT::Group->new( $session{'CurrentUser'} );
$obj->Load($id);
- my $tabs = PageMenu();
- $tabs->child( basics => title => loc('Basics'), path => "/Admin/Groups/Modify.html?id=" . $obj->id );
- $tabs->child( members => title => loc('Members'), path => "/Admin/Groups/Members.html?id=" . $obj->id );
- $tabs->child( 'group-rights' => title => loc('Group Rights'), path => "/Admin/Groups/GroupRights.html?id=" . $obj->id );
- $tabs->child( 'user-rights' => title => loc('User Rights'), path => "/Admin/Groups/UserRights.html?id=" . $obj->id );
- $tabs->child( history => title => loc('History'), path => "/Admin/Groups/History.html?id=" . $obj->id );
- if ( $obj and $obj->id ) {
++ if ( $obj and $obj->id ) {
+ my $tabs = PageMenu();
+ $tabs->child( basics => title => loc('Basics'), path => "/Admin/Groups/Modify.html?id=" . $obj->id );
+ $tabs->child( members => title => loc('Members'), path => "/Admin/Groups/Members.html?id=" . $obj->id );
+ $tabs->child( 'group-rights' => title => loc('Group Rights'), path => "/Admin/Groups/GroupRights.html?id=" . $obj->id );
+ $tabs->child( 'user-rights' => title => loc('User Rights'), path => "/Admin/Groups/UserRights.html?id=" . $obj->id );
+ $tabs->child( history => title => loc('History'), path => "/Admin/Groups/History.html?id=" . $obj->id );
+ }
}
}
@@@ -352,12 -339,12 +358,14 @@@
my $obj = RT::CustomField->new( $session{'CurrentUser'} );
$obj->Load($id);
- my $tabs = PageMenu();
- $tabs->child( basics => title => loc('Basics'), path => "/Admin/CustomFields/Modify.html?id=".$id );
- $tabs->child( 'group-rights' => title => loc('Group Rights'), path => "/Admin/CustomFields/GroupRights.html?id=" . $id );
- $tabs->child( 'user-rights' => title => loc('User Rights'), path => "/Admin/CustomFields/UserRights.html?id=" . $id );
- unless ( $obj->IsOnlyGlobal ) {
- $tabs->child( 'applies-to' => title => loc('Applies to'), path => "/Admin/CustomFields/Objects.html?id=" . $id );
+ if ( $obj and $obj->id ) {
+ my $tabs = PageMenu();
- $tabs->child( basics => title => loc('Basics'), path => "/Admin/CustomFields/Modify.html?id=".$id );
- $tabs->child( 'group-rights' => title => loc('Group Rights'), path => "/Admin/CustomFields/GroupRights.html?id=" . $id );
- $tabs->child( 'user-rights' => title => loc('User Rights'), path => "/Admin/CustomFields/UserRights.html?id=" . $id );
- $tabs->child( 'applies-to' => title => loc('Applies to'), path => "/Admin/CustomFields/Objects.html?id=" . $id );
++ $tabs->child( basics => title => loc('Basics'), path => "/Admin/CustomFields/Modify.html?id=".$id );
++ $tabs->child( 'group-rights' => title => loc('Group Rights'), path => "/Admin/CustomFields/GroupRights.html?id=" . $id );
++ $tabs->child( 'user-rights' => title => loc('User Rights'), path => "/Admin/CustomFields/UserRights.html?id=" . $id );
++ unless ( $obj->IsOnlyGlobal ) {
++ $tabs->child( 'applies-to' => title => loc('Applies to'), path => "/Admin/CustomFields/Objects.html?id=" . $id );
++ }
}
}
}
diff --cc share/html/Search/Build.html
index 1b1fdbb,bcbd08f..3709bf3
--- a/share/html/Search/Build.html
+++ b/share/html/Search/Build.html
@@@ -220,9 -220,8 +220,9 @@@ foreach my $arg ( keys %ARGS )
for ( my $i = 0; $i < @ops; $i++ ) {
my ( $op, $value ) = ( $ops[$i], $values[$i] );
next if !defined $value || $value eq '';
+ my $rawvalue = $value;
- if ( $value eq 'NULL' && $op =~ /=/ ) {
+ if ( $value =~ /^NULL$/i && $op =~ /=/ ) {
if ( $op eq '=' ) {
$op = "IS";
}
commit 24492504ec8f21d73339738b52979dbe1668cdd4
Author: Alex Vandiver <alexmv at bestpractical.com>
Date: Mon Dec 3 15:10:39 2012 -0500
Updates for scrips applying to multiple queues
diff --git a/t/security/CVE-2011-2084-modifyscrips-templates.t b/t/security/CVE-2011-2084-modifyscrips-templates.t
index f68706e..de3c3b1 100644
--- a/t/security/CVE-2011-2084-modifyscrips-templates.t
+++ b/t/security/CVE-2011-2084-modifyscrips-templates.t
@@ -59,32 +59,39 @@ diag "ModifyScrips";
$scrip = RT::Scrip->new( $cu );
$scrip->Load( $scrip_id );
ok $scrip->id, "loaded scrip as test user";
- is $scrip->Queue, $qa->Id, 'queue is A';
+ ok $scrip->IsAdded( $qa->Id ), 'queue is A';
ok +($scrip->SetName('Testing ModifyScrips'));
- set_fails( Queue => $scrip => $qb );
- set_fails( Queue => $scrip => 0 );
- set_fails( Queue => $scrip => undef );
- set_fails( Queue => $scrip => '' );
+ for my $value ($qb->id, 0, undef, '') {
+ my ($ok, $why) = $scrip->AddToObject( $value );
+ my $disp = (defined($value) ? "'$value'" : "undef");
+ ok( !$ok, "Correctly not added to $disp: $why" );
+ }
RT::Test->add_rights( Principal => $user, Right => 'ModifyScrips', Object => $qb );
- set_ok( Queue => $scrip => $qb );
- set_fails( Queue => $scrip => 0 );
- set_fails( Queue => $scrip => undef );
- set_fails( Queue => $scrip => '' );
+ for my $value ($qb->id, 0, undef, '') {
+ my ($ok, $why) = $scrip->AddToObject( $value );
+ my $disp = (defined($value) ? "'$value'" : "undef");
+ if ($value) {
+ ok( $ok, "Correctly added to $disp: $why" );
+ } else {
+ ok( !$ok, "Correctly not added to $disp: $why" );
+ }
+ }
RT::Test->add_rights( Principal => $user, Right => 'ModifyScrips' );
- set_ok( Queue => $scrip => 0 );
+ my ($ok, $why) = $scrip->AddToObject( 0 );
+ ok( $ok, "Correctly added globally: $why" );
- set_fails( Template => $scrip => 2 );
+ set_fails( Template => $scrip => "Autoreply" );
RT::Test->add_rights( Principal => $user, Right => 'ShowTemplate' );
- set_ok( Template => $scrip => 2 );
- is $scrip->TemplateObj->Name, 'Autoreply', 'template name is right';
+ set_ok( Template => $scrip => "Autoreply" );
+ is $scrip->Template, 'Autoreply', 'template name is right';
}
diag "ModifyTemplate";
commit 9227a65159da7ac9e5620dbb52ea94f7614434e8
Author: Alex Vandiver <alexmv at bestpractical.com>
Date: Mon Dec 3 15:11:03 2012 -0500
Queue is now immutable on templates
b98cf37 removed this functionality, which closes any possibility of the
vulnerability in question. Leave the tests, but adjust for the fact
that no movement is ever possible.
diff --git a/t/security/CVE-2011-2084-modifyscrips-templates.t b/t/security/CVE-2011-2084-modifyscrips-templates.t
index de3c3b1..0e59c52 100644
--- a/t/security/CVE-2011-2084-modifyscrips-templates.t
+++ b/t/security/CVE-2011-2084-modifyscrips-templates.t
@@ -122,12 +122,12 @@ diag "ModifyTemplate";
RT::Test->add_rights( Principal => $user, Right => 'ModifyTemplate', Object => $qb );
- set_ok( Queue => $template => $qb );
+ set_fails( Queue => $template => $qb );
set_fails( Queue => $template => 0 );
RT::Test->add_rights( Principal => $user, Right => 'ModifyTemplate' );
- set_ok( Queue => $template => 0 );
+ set_fails( Queue => $template => 0 );
}
done_testing;
-----------------------------------------------------------------------
More information about the Rt-commit
mailing list