diff options
author | Frédéric Buclin <LpSolit@gmail.com> | 2011-09-17 13:45:01 +0200 |
---|---|---|
committer | Frédéric Buclin <LpSolit@gmail.com> | 2011-09-17 13:45:01 +0200 |
commit | 7dcb30cb4e5b26a052aaca21f3bcf4657f8c3126 (patch) | |
tree | fefadcef19a1c79b019c8e994b36df9351253f98 | |
parent | bf43fce9af6415fd747854204ba394558843272d (diff) | |
download | bugzilla-7dcb30cb4e5b26a052aaca21f3bcf4657f8c3126.tar.gz bugzilla-7dcb30cb4e5b26a052aaca21f3bcf4657f8c3126.tar.xz |
Bug 686227: Users with editcomponents privs must be able to add products they cannot see to the inclusion and exclusion lists when creating or editing a flagtype
r=dkl a=LpSolit
-rw-r--r-- | Bugzilla/FlagType.pm | 20 |
1 files changed, 18 insertions, 2 deletions
diff --git a/Bugzilla/FlagType.pm b/Bugzilla/FlagType.pm index bd3f7b054..7f37dd884 100644 --- a/Bugzilla/FlagType.pm +++ b/Bugzilla/FlagType.pm @@ -357,7 +357,15 @@ sub set_request_group { $_[0]->set('request_group_id', $_[1]); } sub set_clusions { my ($self, $list) = @_; + my $user = Bugzilla->user; my %products; + my $params = {}; + + # If the user has editcomponents privs, then we only need to make sure + # that the product exists. + if ($user->in_group('editcomponents')) { + $params->{allow_inaccessible} = 1; + } foreach my $category (keys %$list) { my %clusions; @@ -369,8 +377,16 @@ sub set_clusions { my $comp_name = '__Any__'; # Does the product exist? if ($prod_id) { - $products{$prod_id} ||= Bugzilla::Product->check({ id => $prod_id }); - detaint_natural($prod_id); + detaint_natural($prod_id) + || ThrowCodeError('param_must_be_numeric', + { function => 'Bugzilla::FlagType::set_clusions' }); + + if (!$products{$prod_id}) { + $params->{id} = $prod_id; + $products{$prod_id} = Bugzilla::Product->check($params); + $user->in_group('editcomponents', $prod_id) + || ThrowUserError('product_access_denied', $params); + } $prod_name = $products{$prod_id}->name; # Does the component belong to this product? |