diff options
author | lpsolit%gmail.com <> | 2005-12-12 12:12:25 +0100 |
---|---|---|
committer | lpsolit%gmail.com <> | 2005-12-12 12:12:25 +0100 |
commit | e2f691c9eb53c6a9c8b02b740b444e6d558e35e8 (patch) | |
tree | 4b6c4e4809ae76a0d15d5242ac9943038ce1ff1e /editcomponents.cgi | |
parent | 545a57e3d1866c18cce29dae67da2bd48e775ef0 (diff) | |
download | bugzilla-e2f691c9eb53c6a9c8b02b740b444e6d558e35e8.tar.gz bugzilla-e2f691c9eb53c6a9c8b02b740b444e6d558e35e8.tar.xz |
Bug 271596: editcomponents priv allows you to see/edit products you don't have access to - Patch by Frédéric Buclin <LpSolit@gmail.com> r=wicked a=justdave
Diffstat (limited to 'editcomponents.cgi')
-rwxr-xr-x | editcomponents.cgi | 18 |
1 files changed, 10 insertions, 8 deletions
diff --git a/editcomponents.cgi b/editcomponents.cgi index 60074cb40..d514fb3bf 100755 --- a/editcomponents.cgi +++ b/editcomponents.cgi @@ -20,6 +20,7 @@ # # Contributor(s): Holger Schurig <holgerschurig@nikocity.de> # Terry Weissman <terry@mozilla.org> +# Frédéric Buclin <LpSolit@gmail.com> # # Direct any questions on this source code to # @@ -71,21 +72,22 @@ my $showbugcounts = (defined $cgi->param('showbugcounts')); # unless ($product_name) { - - my @products = Bugzilla::Product::get_all_products(); - + $vars->{'products'} = $user->get_selectable_products; $vars->{'showbugcounts'} = $showbugcounts; - $vars->{'products'} = \@products; - $template->process("admin/components/select-product.html.tmpl", - $vars) - || ThrowTemplateError($template->error()); - + $template->process("admin/components/select-product.html.tmpl", $vars) + || ThrowTemplateError($template->error()); exit; } +# First make sure the product name is valid. my $product = Bugzilla::Product::check_product($product_name); +# Then make sure the user is allowed to edit properties of this product. +$user->can_see_product($product->name) + || ThrowUserError('product_access_denied', {product => $product->name}); + + # # action='' -> Show nice list of components # |