summaryrefslogtreecommitdiffstats
path: root/editproducts.cgi
diff options
context:
space:
mode:
authorlpsolit%gmail.com <>2005-12-12 12:12:25 +0100
committerlpsolit%gmail.com <>2005-12-12 12:12:25 +0100
commite2f691c9eb53c6a9c8b02b740b444e6d558e35e8 (patch)
tree4b6c4e4809ae76a0d15d5242ac9943038ce1ff1e /editproducts.cgi
parent545a57e3d1866c18cce29dae67da2bd48e775ef0 (diff)
downloadbugzilla-e2f691c9eb53c6a9c8b02b740b444e6d558e35e8.tar.gz
bugzilla-e2f691c9eb53c6a9c8b02b740b444e6d558e35e8.tar.xz
Bug 271596: editcomponents priv allows you to see/edit products you don't have access to - Patch by Frédéric Buclin <LpSolit@gmail.com> r=wicked a=justdave
Diffstat (limited to 'editproducts.cgi')
-rwxr-xr-xeditproducts.cgi53
1 files changed, 38 insertions, 15 deletions
diff --git a/editproducts.cgi b/editproducts.cgi
index b4007a2f4..2b7c5dc5d 100755
--- a/editproducts.cgi
+++ b/editproducts.cgi
@@ -82,15 +82,10 @@ if (Param('useclassification')
&& !$classification_name
&& !$product_name)
{
- my @classifications =
- Bugzilla::Classification::get_all_classifications();
+ $vars->{'classifications'} = $user->get_selectable_classifications;
- $vars->{'classifications'} = \@classifications;
-
- $template->process("admin/products/list-classifications.html.tmpl",
- $vars)
+ $template->process("admin/products/list-classifications.html.tmpl", $vars)
|| ThrowTemplateError($template->error());
-
exit;
}
@@ -101,19 +96,19 @@ if (Param('useclassification')
#
if (!$action && !$product_name) {
- my @products;
+ my $products;
if (Param('useclassification')) {
my $classification =
Bugzilla::Classification::check_classification($classification_name);
- @products = @{$classification->products};
+ $products = $user->get_selectable_products($classification->id);
$vars->{'classification'} = $classification;
} else {
- @products = Bugzilla::Product::get_all_products;
+ $products = $user->get_selectable_products;
}
- $vars->{'products'} = \@products;
+ $vars->{'products'} = $products;
$vars->{'showbugcounts'} = $showbugcounts;
$template->process("admin/products/list.html.tmpl", $vars)
@@ -327,9 +322,13 @@ if ($action eq 'new') {
#
if ($action eq 'del') {
-
+ # First make sure the product name is valid.
my $product = Bugzilla::Product::check_product($product_name);
+ # Then make sure the user is allowed to edit properties of this product.
+ $user->can_see_product($product->name)
+ || ThrowUserError('product_access_denied', {product => $product->name});
+
if (Param('useclassification')) {
my $classification =
Bugzilla::Classification::check_classification($classification_name);
@@ -353,8 +352,12 @@ if ($action eq 'del') {
#
if ($action eq 'delete') {
-
+ # First make sure the product name is valid.
my $product = Bugzilla::Product::check_product($product_name);
+
+ # Then make sure the user is allowed to edit properties of this product.
+ $user->can_see_product($product->name)
+ || ThrowUserError('product_access_denied', {product => $product->name});
$vars->{'product'} = $product;
@@ -425,9 +428,13 @@ if ($action eq 'delete') {
#
if ($action eq 'edit' || (!$action && $product_name)) {
-
+ # First make sure the product name is valid.
my $product = Bugzilla::Product::check_product($product_name);
+ # Then make sure the user is allowed to edit properties of this product.
+ $user->can_see_product($product->name)
+ || ThrowUserError('product_access_denied', {product => $product->name});
+
if (Param('useclassification')) {
my $classification;
if (!$classification_name) {
@@ -476,8 +483,13 @@ if ($action eq 'edit' || (!$action && $product_name)) {
#
if ($action eq 'updategroupcontrols') {
-
+ # First make sure the product name is valid.
my $product = Bugzilla::Product::check_product($product_name);
+
+ # Then make sure the user is allowed to edit properties of this product.
+ $user->can_see_product($product->name)
+ || ThrowUserError('product_access_denied', {product => $product->name});
+
my @now_na = ();
my @now_mandatory = ();
foreach my $f ($cgi->param()) {
@@ -739,8 +751,13 @@ if ($action eq 'update') {
my $checkvotes = 0;
+ # First make sure the product name is valid.
my $product_old = Bugzilla::Product::check_product($product_old_name);
+ # Then make sure the user is allowed to edit properties of this product.
+ $user->can_see_product($product_old->name)
+ || ThrowUserError('product_access_denied', {product => $product_old->name});
+
if (Param('useclassification')) {
my $classification;
if (!$classification_name) {
@@ -971,7 +988,13 @@ if ($action eq 'update') {
#
if ($action eq 'editgroupcontrols') {
+ # First make sure the product name is valid.
my $product = Bugzilla::Product::check_product($product_name);
+
+ # Then make sure the user is allowed to edit properties of this product.
+ $user->can_see_product($product->name)
+ || ThrowUserError('product_access_denied', {product => $product->name});
+
# Display a group if it is either enabled or has bugs for this product.
my $groups = $dbh->selectall_arrayref(
'SELECT id, name, entry, membercontrol, othercontrol, canedit,