diff options
author | Frédéric Buclin <LpSolit@gmail.com> | 2011-09-17 13:43:43 +0200 |
---|---|---|
committer | Frédéric Buclin <LpSolit@gmail.com> | 2011-09-17 13:43:43 +0200 |
commit | 318295325c43fcc8fd3253c46525c3ce57df1329 (patch) | |
tree | 669f09b46e81564953de893c260932faf74749a0 | |
parent | ce96ea3708aa6d51eaf9fb4f95ae2fb926d532e0 (diff) | |
download | bugs-318295325c43fcc8fd3253c46525c3ce57df1329.tar bugs-318295325c43fcc8fd3253c46525c3ce57df1329.tar.gz bugs-318295325c43fcc8fd3253c46525c3ce57df1329.tar.bz2 bugs-318295325c43fcc8fd3253c46525c3ce57df1329.tar.xz bugs-318295325c43fcc8fd3253c46525c3ce57df1329.zip |
Bug 686227: Users with editcomponents privs must be able to add products they cannot see to the inclusion and exclusion lists when creating or editing a flagtype
r=dkl a=LpSolit
-rw-r--r-- | Bugzilla/FlagType.pm | 20 |
1 files changed, 18 insertions, 2 deletions
diff --git a/Bugzilla/FlagType.pm b/Bugzilla/FlagType.pm index bd3f7b054..7f37dd884 100644 --- a/Bugzilla/FlagType.pm +++ b/Bugzilla/FlagType.pm @@ -357,7 +357,15 @@ sub set_request_group { $_[0]->set('request_group_id', $_[1]); } sub set_clusions { my ($self, $list) = @_; + my $user = Bugzilla->user; my %products; + my $params = {}; + + # If the user has editcomponents privs, then we only need to make sure + # that the product exists. + if ($user->in_group('editcomponents')) { + $params->{allow_inaccessible} = 1; + } foreach my $category (keys %$list) { my %clusions; @@ -369,8 +377,16 @@ sub set_clusions { my $comp_name = '__Any__'; # Does the product exist? if ($prod_id) { - $products{$prod_id} ||= Bugzilla::Product->check({ id => $prod_id }); - detaint_natural($prod_id); + detaint_natural($prod_id) + || ThrowCodeError('param_must_be_numeric', + { function => 'Bugzilla::FlagType::set_clusions' }); + + if (!$products{$prod_id}) { + $params->{id} = $prod_id; + $products{$prod_id} = Bugzilla::Product->check($params); + $user->in_group('editcomponents', $prod_id) + || ThrowUserError('product_access_denied', $params); + } $prod_name = $products{$prod_id}->name; # Does the component belong to this product? |