diff options
| author | lpsolit%gmail.com <> | 2005-12-12 12:12:25 +0100 |
|---|---|---|
| committer | lpsolit%gmail.com <> | 2005-12-12 12:12:25 +0100 |
| commit | e2f691c9eb53c6a9c8b02b740b444e6d558e35e8 (patch) | |
| tree | 4b6c4e4809ae76a0d15d5242ac9943038ce1ff1e /Bugzilla/User.pm | |
| parent | 545a57e3d1866c18cce29dae67da2bd48e775ef0 (diff) | |
| download | bugzilla-e2f691c9eb53c6a9c8b02b740b444e6d558e35e8.tar.gz bugzilla-e2f691c9eb53c6a9c8b02b740b444e6d558e35e8.tar.xz | |
Bug 271596: editcomponents priv allows you to see/edit products you don't have access to - Patch by Frédéric Buclin <LpSolit@gmail.com> r=wicked a=justdave
Diffstat (limited to 'Bugzilla/User.pm')
| -rw-r--r-- | Bugzilla/User.pm | 22 |
1 files changed, 18 insertions, 4 deletions
diff --git a/Bugzilla/User.pm b/Bugzilla/User.pm index d35077a4b..9f6c415ef 100644 --- a/Bugzilla/User.pm +++ b/Bugzilla/User.pm @@ -452,12 +452,15 @@ sub can_see_product { sub get_selectable_products { my $self = shift; + my $classification_id = shift; if (defined $self->{selectable_products}) { return $self->{selectable_products}; } my $dbh = Bugzilla->dbh; + my @params = (); + my $query = "SELECT id " . "FROM products " . "LEFT JOIN group_control_map " . @@ -470,9 +473,17 @@ sub get_selectable_products { } $query .= "AND group_id NOT IN(" . $self->groups_as_string . ") " . - "WHERE group_id IS NULL ORDER BY name"; + "WHERE group_id IS NULL "; + + if (Param('useclassification') && $classification_id) { + $query .= "AND classification_id = ? "; + detaint_natural($classification_id); + push(@params, $classification_id); + } - my $prod_ids = $dbh->selectcol_arrayref($query); + $query .= "ORDER BY name"; + + my $prod_ids = $dbh->selectcol_arrayref($query, undef, @params); my @products; foreach my $prod_id (@$prod_ids) { push(@products, new Bugzilla::Product($prod_id)); @@ -1603,9 +1614,12 @@ method should be called in such a case to force reresolution of these groups. =item C<get_selectable_products> - Description: Returns all products the user is allowed to access. + Description: Returns all products the user is allowed to access. This list + is restricted to some given classification if $classification_id + is given. - Params: none + Params: $classification_id - (optional) The ID of the classification + the products belong to. Returns: An array of product objects, sorted by the product name. |