summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorjustdave%syndicomm.com <>2001-11-21 17:30:47 +0100
committerjustdave%syndicomm.com <>2001-11-21 17:30:47 +0100
commit6bba72d1c264bb3469c0350ef29ca65bc6004a77 (patch)
treed96913c081d0c8470daa93f4ffcf782c73d9e3e5
parentdd8f8cedb0637e5afb46bf50e3e6569520b88f7b (diff)
downloadbugzilla-6bba72d1c264bb3469c0350ef29ca65bc6004a77.tar.gz
bugzilla-6bba72d1c264bb3469c0350ef29ca65bc6004a77.tar.xz
Fix for bug 102141: SECURITY FIX - the Product popup menu on the show_bug form listed all products, even if the user didn't
have access to all of them. It now only shows products the user has access to (and the product the bug is in, if the user is viewing it because of some other override) Patch by George Hotelling <george.hotelling@iconideas.com> and Dave Miller <justdave@syndicomm.com> r= bbaetz, caillon
-rw-r--r--bug_form.pl48
1 files changed, 44 insertions, 4 deletions
diff --git a/bug_form.pl b/bug_form.pl
index 67829d111..2f8cea0a5 100644
--- a/bug_form.pl
+++ b/bug_form.pl
@@ -38,7 +38,6 @@ sub bug_form_pl_sillyness {
$zz = @::legal_keywords;
$zz = @::legal_opsys;
$zz = @::legal_platform;
- $zz = @::legal_product;
$zz = @::legal_priority;
$zz = @::settable_resolution;
$zz = @::legal_severity;
@@ -149,6 +148,49 @@ if (defined $URL && $URL ne "none" && $URL ne "NULL" && $URL ne "") {
$URL = "<B>URL:</B>";
}
+#
+# Make a list of products the user has access to
+#
+
+my (@prodlist, $product_popup);
+foreach my $p (sort(keys %::versions)) {
+ if ($p eq $bug{'product'}) {
+ # if it's the product the bug is already in, it's ALWAYS in
+ # the popup, period, whether the user can see it or not, and
+ # regardless of the disallownew setting.
+ push(@prodlist, $p);
+ next;
+ }
+ if (defined $::proddesc{$p} && $::proddesc{$p} eq '0') {
+ # Special hack. If we stuffed a "0" into proddesc, that means
+ # that disallownew was set for this bug, and so we don't want
+ # to allow people to specify that product here.
+ next;
+ }
+ if(Param("usebuggroupsentry")
+ && GroupExists($p)
+ && !UserInGroup($p))
+ {
+ # If we're using bug groups to restrict entry on products, and
+ # this product has a bug group, and the user is not in that
+ # group, we don't want to include that product in this list.
+ next;
+ }
+ push(@prodlist, $p);
+}
+
+# If the user has access to multiple products, display a popup, otherwise
+# display the current product.
+
+if (1 < @prodlist) {
+ $product_popup = "<SELECT NAME=product>" .
+ make_options(\@prodlist, $bug{'product'}) .
+ "</SELECT>";
+}
+else {
+ $product_popup = $bug{'product'};
+}
+
print "
<INPUT TYPE=HIDDEN NAME=\"delta_ts\" VALUE=\"$bug{'delta_ts'}\">
<INPUT TYPE=HIDDEN NAME=\"longdesclength\" VALUE=\"$longdesclength\">
@@ -162,9 +204,7 @@ print "
<TD ALIGN=RIGHT><B>Reporter:</B></TD><TD>$bug{'reporter'}</TD>
</TR><TR>
<TD ALIGN=RIGHT><B>Product:</B></TD>
- <TD><SELECT NAME=product>" .
- make_options(\@::legal_product, $bug{'product'}) .
- "</SELECT></TD>
+ <TD>$product_popup</TD>
<TD>&nbsp;</TD>
<TD ALIGN=RIGHT><B>OS:</B></TD>
<TD><SELECT NAME=op_sys>" .