diff options
| author | lpsolit%gmail.com <> | 2005-12-12 11:12:25 +0000 |
|---|---|---|
| committer | lpsolit%gmail.com <> | 2005-12-12 11:12:25 +0000 |
| commit | e2f691c9eb53c6a9c8b02b740b444e6d558e35e8 (patch) | |
| tree | 4b6c4e4809ae76a0d15d5242ac9943038ce1ff1e /editproducts.cgi | |
| parent | 545a57e3d1866c18cce29dae67da2bd48e775ef0 (diff) | |
| download | bugs-e2f691c9eb53c6a9c8b02b740b444e6d558e35e8.tar bugs-e2f691c9eb53c6a9c8b02b740b444e6d558e35e8.tar.gz bugs-e2f691c9eb53c6a9c8b02b740b444e6d558e35e8.tar.bz2 bugs-e2f691c9eb53c6a9c8b02b740b444e6d558e35e8.tar.xz bugs-e2f691c9eb53c6a9c8b02b740b444e6d558e35e8.zip | |
Bug 271596: editcomponents priv allows you to see/edit products you don't have access to - Patch by Frédéric Buclin <LpSolit@gmail.com> r=wicked a=justdave
Diffstat (limited to 'editproducts.cgi')
| -rwxr-xr-x | editproducts.cgi | 53 |
1 files changed, 38 insertions, 15 deletions
diff --git a/editproducts.cgi b/editproducts.cgi index b4007a2f4..2b7c5dc5d 100755 --- a/editproducts.cgi +++ b/editproducts.cgi @@ -82,15 +82,10 @@ if (Param('useclassification') && !$classification_name && !$product_name) { - my @classifications = - Bugzilla::Classification::get_all_classifications(); + $vars->{'classifications'} = $user->get_selectable_classifications; - $vars->{'classifications'} = \@classifications; - - $template->process("admin/products/list-classifications.html.tmpl", - $vars) + $template->process("admin/products/list-classifications.html.tmpl", $vars) || ThrowTemplateError($template->error()); - exit; } @@ -101,19 +96,19 @@ if (Param('useclassification') # if (!$action && !$product_name) { - my @products; + my $products; if (Param('useclassification')) { my $classification = Bugzilla::Classification::check_classification($classification_name); - @products = @{$classification->products}; + $products = $user->get_selectable_products($classification->id); $vars->{'classification'} = $classification; } else { - @products = Bugzilla::Product::get_all_products; + $products = $user->get_selectable_products; } - $vars->{'products'} = \@products; + $vars->{'products'} = $products; $vars->{'showbugcounts'} = $showbugcounts; $template->process("admin/products/list.html.tmpl", $vars) @@ -327,9 +322,13 @@ if ($action eq 'new') { # if ($action eq 'del') { - + # First make sure the product name is valid. my $product = Bugzilla::Product::check_product($product_name); + # Then make sure the user is allowed to edit properties of this product. + $user->can_see_product($product->name) + || ThrowUserError('product_access_denied', {product => $product->name}); + if (Param('useclassification')) { my $classification = Bugzilla::Classification::check_classification($classification_name); @@ -353,8 +352,12 @@ if ($action eq 'del') { # if ($action eq 'delete') { - + # First make sure the product name is valid. my $product = Bugzilla::Product::check_product($product_name); + + # Then make sure the user is allowed to edit properties of this product. + $user->can_see_product($product->name) + || ThrowUserError('product_access_denied', {product => $product->name}); $vars->{'product'} = $product; @@ -425,9 +428,13 @@ if ($action eq 'delete') { # if ($action eq 'edit' || (!$action && $product_name)) { - + # First make sure the product name is valid. my $product = Bugzilla::Product::check_product($product_name); + # Then make sure the user is allowed to edit properties of this product. + $user->can_see_product($product->name) + || ThrowUserError('product_access_denied', {product => $product->name}); + if (Param('useclassification')) { my $classification; if (!$classification_name) { @@ -476,8 +483,13 @@ if ($action eq 'edit' || (!$action && $product_name)) { # if ($action eq 'updategroupcontrols') { - + # First make sure the product name is valid. my $product = Bugzilla::Product::check_product($product_name); + + # Then make sure the user is allowed to edit properties of this product. + $user->can_see_product($product->name) + || ThrowUserError('product_access_denied', {product => $product->name}); + my @now_na = (); my @now_mandatory = (); foreach my $f ($cgi->param()) { @@ -739,8 +751,13 @@ if ($action eq 'update') { my $checkvotes = 0; + # First make sure the product name is valid. my $product_old = Bugzilla::Product::check_product($product_old_name); + # Then make sure the user is allowed to edit properties of this product. + $user->can_see_product($product_old->name) + || ThrowUserError('product_access_denied', {product => $product_old->name}); + if (Param('useclassification')) { my $classification; if (!$classification_name) { @@ -971,7 +988,13 @@ if ($action eq 'update') { # if ($action eq 'editgroupcontrols') { + # First make sure the product name is valid. my $product = Bugzilla::Product::check_product($product_name); + + # Then make sure the user is allowed to edit properties of this product. + $user->can_see_product($product->name) + || ThrowUserError('product_access_denied', {product => $product->name}); + # Display a group if it is either enabled or has bugs for this product. my $groups = $dbh->selectall_arrayref( 'SELECT id, name, entry, membercontrol, othercontrol, canedit, |