aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorSimon Green <simon@simongreen.net>2014-10-08 12:58:13 +1000
committerSimon Green <sgreen@redhat.com>2014-10-08 12:58:13 +1000
commit847191ac9f29dee98088203d2ac135b9d820b507 (patch)
treed5b1b6ee6494d0989d6cb6914b1258a2805396d2
parentcaf21973f5ea0e1caf30165234e2b50ed753ebaa (diff)
downloadbugs-847191ac9f29dee98088203d2ac135b9d820b507.tar
bugs-847191ac9f29dee98088203d2ac135b9d820b507.tar.gz
bugs-847191ac9f29dee98088203d2ac135b9d820b507.tar.bz2
bugs-847191ac9f29dee98088203d2ac135b9d820b507.tar.xz
bugs-847191ac9f29dee98088203d2ac135b9d820b507.zip
Bug 1009406 - A user with local editcomponents privs cannot update the inclusion and exclusion lists when the flagtype is already restricted to products the user cannot edit
r=dkl, a=simon
-rw-r--r--Bugzilla/FlagType.pm19
1 files changed, 17 insertions, 2 deletions
diff --git a/Bugzilla/FlagType.pm b/Bugzilla/FlagType.pm
index 5cbfdd979..72b3f64c1 100644
--- a/Bugzilla/FlagType.pm
+++ b/Bugzilla/FlagType.pm
@@ -41,6 +41,7 @@ use Bugzilla::Util;
use Bugzilla::Group;
use Email::Address;
+use List::MoreUtils qw(uniq);
use parent qw(Bugzilla::Object);
@@ -379,8 +380,6 @@ sub set_clusions {
if (!$products{$prod_id}) {
$params->{id} = $prod_id;
$products{$prod_id} = Bugzilla::Product->check($params);
- $user->in_group('editcomponents', $prod_id)
- || ThrowUserError('product_access_denied', $params);
}
$prod_name = $products{$prod_id}->name;
@@ -406,6 +405,22 @@ sub set_clusions {
$clusions{"$prod_name:$comp_name"} = "$prod_id:$comp_id";
$clusions_as_hash{$prod_id}->{$comp_id} = 1;
}
+
+ # Check the user has the editcomponent permission on products that are changing
+ if (! $user->in_group('editcomponents')) {
+ my $current_clusions = $self->$category;
+ my ($removed, $added)
+ = diff_arrays([ values %$current_clusions ], [ values %clusions ]);
+ my @changed_product_ids
+ = uniq map { substr($_, 0, index($_, ':')) } @$removed, @$added;
+ foreach my $product_id (@changed_product_ids) {
+ $user->in_group('editcomponents', $product_id)
+ || ThrowUserError('product_access_denied',
+ { name => $products{$product_id}->name });
+ }
+ }
+
+ # Set the changes
$self->{$category} = \%clusions;
$self->{"${category}_as_hash"} = \%clusions_as_hash;
$self->{"_update_$category"} = 1;