From de2cc8c4d5f19714a441caa19172ca2b15abc2c7 Mon Sep 17 00:00:00 2001 From: "Christoph M. Becker" Date: Sat, 20 Jul 2024 13:07:16 +0200 Subject: [PATCH 1/4] GH-114: Lock down bug tracker to developers only All further conversation about bugs is supposed to happen on Github. We still allow developers to edit the bug tracker, so they can clean up. We start by disallowing users to add patches. --- www/bug.php | 4 +++- www/patch-add.php | 7 +++++++ 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/www/bug.php b/www/bug.php index aa90dbed..6e750d45 100644 --- a/www/bug.php +++ b/www/bug.php @@ -1109,7 +1109,9 @@
OUTPUT; } - echo "

Add a Patch

"; + if ($logged_in) { + echo "

Add a Patch

"; + } $pullRequestRepository = $container->get(PullRequestRepository::class); $pulls = $pullRequestRepository->findAllByBugId($bug_id); diff --git a/www/patch-add.php b/www/patch-add.php index 9429ced1..12e31add 100644 --- a/www/patch-add.php +++ b/www/patch-add.php @@ -16,6 +16,13 @@ // Authenticate bugs_authenticate($user, $pw, $logged_in, $user_flags); +if (!$logged_in) { + response_header('Developers only'); + display_bug_error('Only developers are allowed to add patches'); + response_footer(); + exit; +} + $canpatch = true; /// Input vars From 156851dda896cc233800c2ad04a00cbd9f237596 Mon Sep 17 00:00:00 2001 From: "Christoph M. Becker" Date: Sat, 20 Jul 2024 13:45:12 +0200 Subject: [PATCH 2/4] Disallow users to comment --- www/bug.php | 19 +++++++------------ www/fix.php | 3 +-- 2 files changed, 8 insertions(+), 14 deletions(-) diff --git a/www/bug.php b/www/bug.php index 6e750d45..8ec786f4 100644 --- a/www/bug.php +++ b/www/bug.php @@ -185,7 +185,7 @@ $project = $bug['project']; // Only fetch stuff when it's really needed -if ($edit && $edit < 3) { +if ($edit && $edit < 2) { $packageRepository = $container->get(PackageRepository::class); $pseudo_pkgs = $packageRepository->findEnabled(); } @@ -210,11 +210,10 @@ // Check if session answer is set, then compare it with the post captcha value. // If it's not the same, then it's an incorrect password. if (!$logged_in) { - if (!isset($_SESSION['answer'])) { - $errors[] = 'Please enable cookies so the Captcha system can work'; - } elseif ($_POST['captcha'] != $_SESSION['answer']) { - $errors[] = 'Incorrect Captcha'; - } + response_header('Developers only'); + display_bug_error('Only developers are allowed to comment; if you are the original reporter use the Edit tab'); + response_footer(); + exit; } $ncomment = trim($_POST['ncomment']); @@ -719,7 +718,6 @@ if ($bug_id !== 'PREVIEW') { echo '
', "\n", control(0, 'View'), - ($bug['private'] == 'N' ? control(3, 'Add Comment') : ''), control(1, 'Developer'), (!$email || $bug['email'] == $email? control(2, 'Edit') : ''), '
', "\n"; @@ -804,9 +802,7 @@ Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
- If this is not your bug, you can - add a comment by following this link.
- If this is your bug, but you forgot your password, you can retrieve your password here.
+ If you forgot your password, you can retrieve your password here.
@@ -831,8 +827,7 @@ ?>
Welcome! If you don't have a Git account, you can't do anything here.
- You can add a comment by following this link - or if you reported this bug, you can edit this bug over here. + If you reported this bug, you can edit this bug over here.
diff --git a/www/fix.php b/www/fix.php index bd935b79..bd62e1f8 100644 --- a/www/fix.php +++ b/www/fix.php @@ -73,8 +73,7 @@
Welcome! If you don't have a Git account, you can't do anything here.
- You can add a comment by following this link - or if you reported this bug, you can edit this bug over here. + If you reported this bug, you can edit this bug over here.
From 511cbc971749695f59347e957ee76355f4d1eb0c Mon Sep 17 00:00:00 2001 From: "Christoph M. Becker" Date: Sat, 20 Jul 2024 16:29:04 +0200 Subject: [PATCH 3/4] Disable voting (fixes #112) --- www/bug.php | 2 +- www/vote.php | 2 ++ 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/www/bug.php b/www/bug.php index 8ec786f4..9fca7257 100644 --- a/www/bug.php +++ b/www/bug.php @@ -1288,5 +1288,5 @@ function control($num, $desc) function canvote($thanks, $status) { - return ($thanks != 4 && $thanks != 6 && $status != 'Closed' && $status != 'Not a bug' && $status != 'Duplicate'); + return false; } diff --git a/www/vote.php b/www/vote.php index e32f21d0..517f7079 100644 --- a/www/vote.php +++ b/www/vote.php @@ -3,6 +3,8 @@ use App\Repository\BugRepository; use App\Repository\VoteRepository; +die('Voting on tickets is disabled'); + // Obtain common includes require_once '../include/prepend.php'; From 1ead289f10f741a041ae89d292c369c22caac659 Mon Sep 17 00:00:00 2001 From: "Christoph M. Becker" Date: Wed, 31 Jul 2024 19:28:02 +0200 Subject: [PATCH 4/4] We still may need the package list --- www/bug.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/www/bug.php b/www/bug.php index 9fca7257..197be8c2 100644 --- a/www/bug.php +++ b/www/bug.php @@ -185,7 +185,7 @@ $project = $bug['project']; // Only fetch stuff when it's really needed -if ($edit && $edit < 2) { +if ($edit && $edit < 3) { $packageRepository = $container->get(PackageRepository::class); $pseudo_pkgs = $packageRepository->findEnabled(); }