summaryrefslogtreecommitdiffstats
path: root/editcomponents.cgi
diff options
context:
space:
mode:
authorlpsolit%gmail.com <>2005-12-12 12:12:25 +0100
committerlpsolit%gmail.com <>2005-12-12 12:12:25 +0100
commite2f691c9eb53c6a9c8b02b740b444e6d558e35e8 (patch)
tree4b6c4e4809ae76a0d15d5242ac9943038ce1ff1e /editcomponents.cgi
parent545a57e3d1866c18cce29dae67da2bd48e775ef0 (diff)
downloadbugzilla-e2f691c9eb53c6a9c8b02b740b444e6d558e35e8.tar.gz
bugzilla-e2f691c9eb53c6a9c8b02b740b444e6d558e35e8.tar.xz
Bug 271596: editcomponents priv allows you to see/edit products you don't have access to - Patch by Frédéric Buclin <LpSolit@gmail.com> r=wicked a=justdave
Diffstat (limited to 'editcomponents.cgi')
-rwxr-xr-xeditcomponents.cgi18
1 files changed, 10 insertions, 8 deletions
diff --git a/editcomponents.cgi b/editcomponents.cgi
index 60074cb40..d514fb3bf 100755
--- a/editcomponents.cgi
+++ b/editcomponents.cgi
@@ -20,6 +20,7 @@
#
# Contributor(s): Holger Schurig <holgerschurig@nikocity.de>
# Terry Weissman <terry@mozilla.org>
+# Frédéric Buclin <LpSolit@gmail.com>
#
# Direct any questions on this source code to
#
@@ -71,21 +72,22 @@ my $showbugcounts = (defined $cgi->param('showbugcounts'));
#
unless ($product_name) {
-
- my @products = Bugzilla::Product::get_all_products();
-
+ $vars->{'products'} = $user->get_selectable_products;
$vars->{'showbugcounts'} = $showbugcounts;
- $vars->{'products'} = \@products;
- $template->process("admin/components/select-product.html.tmpl",
- $vars)
- || ThrowTemplateError($template->error());
-
+ $template->process("admin/components/select-product.html.tmpl", $vars)
+ || ThrowTemplateError($template->error());
exit;
}
+# First make sure the product name is valid.
my $product = Bugzilla::Product::check_product($product_name);
+# Then make sure the user is allowed to edit properties of this product.
+$user->can_see_product($product->name)
+ || ThrowUserError('product_access_denied', {product => $product->name});
+
+
#
# action='' -> Show nice list of components
#