use Bugzilla::Chart;
use Bugzilla::Series;
use Bugzilla::User;
+use Bugzilla::Token;
# For most scripts we don't make $cgi and $template global variables. But
# when preparing Bugzilla for mod_perl, this script used these
}
elsif ($action eq "create") {
assertCanCreate($cgi);
-
+ my $token = $cgi->param('token');
+ check_hash_token($token, ['create-series']);
+
my $series = new Bugzilla::Series($cgi);
if (!$series->existsInDatabase()) {
detaint_natural($series_id) || ThrowCodeError("invalid_series_id");
assertCanEdit($series_id);
- my $series = new Bugzilla::Series($cgi);
+ # We cannot use the $series object below, as its name may have changed.
+ my $series = new Bugzilla::Series($series_id);
+ my $token = $cgi->param('token');
+ check_hash_token($token, [$series->{series_id}, $series->{name}]);
+ $series = new Bugzilla::Series($cgi);
# We need to check if there is _another_ series in the database with
# our (potentially new) name. So we call existsInDatabase() to see if
[% PROCESS reports/series.html.tmpl
button_name = "Change Data Set" %]
<input type="hidden" name="action" value="alter">
-
+ <input type="hidden" name="token"
+ value="[% issue_hash_token([default.series_id, default.name]) FILTER html %]">
+
[% IF default.series_id %]
<input type="hidden" name="series_id" value="[% default.series_id %]">
[% END %]
[% PROCESS reports/series.html.tmpl
button_name = "Create Data Set" %]
<input type="hidden" name="action" value="create">
+ <input type="hidden" name="token" value="[% issue_hash_token(['create-series']) FILTER html %]">
<script type="text/javascript">
document.chartform.category[0].selected = true;
projects / thirdparty / bugzilla.git / commitdiff
