summaryrefslogtreecommitdiffstats
path: root/editmilestones.cgi
diff options
context:
space:
mode:
authorlpsolit%gmail.com <>2005-12-12 12:12:25 +0100
committerlpsolit%gmail.com <>2005-12-12 12:12:25 +0100
commite2f691c9eb53c6a9c8b02b740b444e6d558e35e8 (patch)
tree4b6c4e4809ae76a0d15d5242ac9943038ce1ff1e /editmilestones.cgi
parent545a57e3d1866c18cce29dae67da2bd48e775ef0 (diff)
downloadbugzilla-e2f691c9eb53c6a9c8b02b740b444e6d558e35e8.tar.gz
bugzilla-e2f691c9eb53c6a9c8b02b740b444e6d558e35e8.tar.xz
Bug 271596: editcomponents priv allows you to see/edit products you don't have access to - Patch by Frédéric Buclin <LpSolit@gmail.com> r=wicked a=justdave
Diffstat (limited to 'editmilestones.cgi')
-rwxr-xr-xeditmilestones.cgi16
1 files changed, 9 insertions, 7 deletions
diff --git a/editmilestones.cgi b/editmilestones.cgi
index 95babd737..c87828526 100755
--- a/editmilestones.cgi
+++ b/editmilestones.cgi
@@ -60,20 +60,22 @@ my $showbugcounts = (defined $cgi->param('showbugcounts'));
#
unless ($product_name) {
-
- my @products = Bugzilla::Product::get_all_products();
-
+ $vars->{'products'} = $user->get_selectable_products;
$vars->{'showbugcounts'} = $showbugcounts;
- $vars->{'products'} = \@products;
- $template->process("admin/milestones/select-product.html.tmpl",
- $vars)
- || ThrowTemplateError($template->error());
+ $template->process("admin/milestones/select-product.html.tmpl", $vars)
+ || ThrowTemplateError($template->error());
exit;
}
+# First make sure the product name is valid.
my $product = Bugzilla::Product::check_product($product_name);
+# Then make sure the user is allowed to edit properties of this product.
+$user->can_see_product($product->name)
+ || ThrowUserError('product_access_denied', {product => $product->name});
+
+
#
# action='' -> Show nice list of milestones
#