aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorFrédéric Buclin <LpSolit@gmail.com>2011-09-17 13:43:43 +0200
committerFrédéric Buclin <LpSolit@gmail.com>2011-09-17 13:43:43 +0200
commit318295325c43fcc8fd3253c46525c3ce57df1329 (patch)
tree669f09b46e81564953de893c260932faf74749a0
parentce96ea3708aa6d51eaf9fb4f95ae2fb926d532e0 (diff)
downloadbugs-318295325c43fcc8fd3253c46525c3ce57df1329.tar
bugs-318295325c43fcc8fd3253c46525c3ce57df1329.tar.gz
bugs-318295325c43fcc8fd3253c46525c3ce57df1329.tar.bz2
bugs-318295325c43fcc8fd3253c46525c3ce57df1329.tar.xz
bugs-318295325c43fcc8fd3253c46525c3ce57df1329.zip
Bug 686227: Users with editcomponents privs must be able to add products they cannot see to the inclusion and exclusion lists when creating or editing a flagtype
r=dkl a=LpSolit
-rw-r--r--Bugzilla/FlagType.pm20
1 files changed, 18 insertions, 2 deletions
diff --git a/Bugzilla/FlagType.pm b/Bugzilla/FlagType.pm
index bd3f7b054..7f37dd884 100644
--- a/Bugzilla/FlagType.pm
+++ b/Bugzilla/FlagType.pm
@@ -357,7 +357,15 @@ sub set_request_group { $_[0]->set('request_group_id', $_[1]); }
sub set_clusions {
my ($self, $list) = @_;
+ my $user = Bugzilla->user;
my %products;
+ my $params = {};
+
+ # If the user has editcomponents privs, then we only need to make sure
+ # that the product exists.
+ if ($user->in_group('editcomponents')) {
+ $params->{allow_inaccessible} = 1;
+ }
foreach my $category (keys %$list) {
my %clusions;
@@ -369,8 +377,16 @@ sub set_clusions {
my $comp_name = '__Any__';
# Does the product exist?
if ($prod_id) {
- $products{$prod_id} ||= Bugzilla::Product->check({ id => $prod_id });
- detaint_natural($prod_id);
+ detaint_natural($prod_id)
+ || ThrowCodeError('param_must_be_numeric',
+ { function => 'Bugzilla::FlagType::set_clusions' });
+
+ if (!$products{$prod_id}) {
+ $params->{id} = $prod_id;
+ $products{$prod_id} = Bugzilla::Product->check($params);
+ $user->in_group('editcomponents', $prod_id)
+ || ThrowUserError('product_access_denied', $params);
+ }
$prod_name = $products{$prod_id}->name;
# Does the component belong to this product?