diff options
author | Simon Green <simon@simongreen.net> | 2014-10-08 12:58:13 +1000 |
---|---|---|
committer | Simon Green <sgreen@redhat.com> | 2014-10-08 12:58:13 +1000 |
commit | 847191ac9f29dee98088203d2ac135b9d820b507 (patch) | |
tree | d5b1b6ee6494d0989d6cb6914b1258a2805396d2 | |
parent | caf21973f5ea0e1caf30165234e2b50ed753ebaa (diff) | |
download | bugs-847191ac9f29dee98088203d2ac135b9d820b507.tar bugs-847191ac9f29dee98088203d2ac135b9d820b507.tar.gz bugs-847191ac9f29dee98088203d2ac135b9d820b507.tar.bz2 bugs-847191ac9f29dee98088203d2ac135b9d820b507.tar.xz bugs-847191ac9f29dee98088203d2ac135b9d820b507.zip |
Bug 1009406 - A user with local editcomponents privs cannot update the inclusion and exclusion lists when the flagtype is already restricted to products the user cannot edit
r=dkl, a=simon
-rw-r--r-- | Bugzilla/FlagType.pm | 19 |
1 files changed, 17 insertions, 2 deletions
diff --git a/Bugzilla/FlagType.pm b/Bugzilla/FlagType.pm index 5cbfdd979..72b3f64c1 100644 --- a/Bugzilla/FlagType.pm +++ b/Bugzilla/FlagType.pm @@ -41,6 +41,7 @@ use Bugzilla::Util; use Bugzilla::Group; use Email::Address; +use List::MoreUtils qw(uniq); use parent qw(Bugzilla::Object); @@ -379,8 +380,6 @@ sub set_clusions { if (!$products{$prod_id}) { $params->{id} = $prod_id; $products{$prod_id} = Bugzilla::Product->check($params); - $user->in_group('editcomponents', $prod_id) - || ThrowUserError('product_access_denied', $params); } $prod_name = $products{$prod_id}->name; @@ -406,6 +405,22 @@ sub set_clusions { $clusions{"$prod_name:$comp_name"} = "$prod_id:$comp_id"; $clusions_as_hash{$prod_id}->{$comp_id} = 1; } + + # Check the user has the editcomponent permission on products that are changing + if (! $user->in_group('editcomponents')) { + my $current_clusions = $self->$category; + my ($removed, $added) + = diff_arrays([ values %$current_clusions ], [ values %clusions ]); + my @changed_product_ids + = uniq map { substr($_, 0, index($_, ':')) } @$removed, @$added; + foreach my $product_id (@changed_product_ids) { + $user->in_group('editcomponents', $product_id) + || ThrowUserError('product_access_denied', + { name => $products{$product_id}->name }); + } + } + + # Set the changes $self->{$category} = \%clusions; $self->{"${category}_as_hash"} = \%clusions_as_hash; $self->{"_update_$category"} = 1; |