diff options
-rw-r--r-- | Bugzilla/Bug.pm | 10 | ||||
-rw-r--r-- | Bugzilla/BugUrl/Bugzilla/Local.pm | 8 | ||||
-rw-r--r-- | Bugzilla/WebService/Bug.pm | 23 | ||||
-rwxr-xr-x | process_bug.cgi | 13 |
4 files changed, 17 insertions, 37 deletions
diff --git a/Bugzilla/Bug.pm b/Bugzilla/Bug.pm index 7745a9809..23e07979f 100644 --- a/Bugzilla/Bug.pm +++ b/Bugzilla/Bug.pm @@ -403,6 +403,16 @@ sub check { return $self; } +sub check_for_edit { + my $class = shift; + my $bug = $class->check(@_); + + Bugzilla->user->can_edit_product($bug->product_id) + || ThrowUserError("product_edit_denied", { product => $bug->product }); + + return $bug; +} + sub check_is_visible { my $self = shift; my $user = Bugzilla->user; diff --git a/Bugzilla/BugUrl/Bugzilla/Local.pm b/Bugzilla/BugUrl/Bugzilla/Local.pm index 233acbe66..c052d7d3b 100644 --- a/Bugzilla/BugUrl/Bugzilla/Local.pm +++ b/Bugzilla/BugUrl/Bugzilla/Local.pm @@ -119,7 +119,7 @@ sub _check_value { } my $ref_bug_id = $uri->query_param('id'); - my $ref_bug = Bugzilla::Bug->check($ref_bug_id); + my $ref_bug = Bugzilla::Bug->check_for_edit($ref_bug_id); my $self_bug_id = $params->{bug_id}; $params->{ref_bug} = $ref_bug; @@ -127,12 +127,6 @@ sub _check_value { ThrowUserError('see_also_self_reference'); } - my $product = $ref_bug->product_obj; - if (!Bugzilla->user->can_edit_product($product->id)) { - ThrowUserError("product_edit_denied", - { product => $product->name }); - } - return $uri; } diff --git a/Bugzilla/WebService/Bug.pm b/Bugzilla/WebService/Bug.pm index 7844b4e97..63d04bb0b 100644 --- a/Bugzilla/WebService/Bug.pm +++ b/Bugzilla/WebService/Bug.pm @@ -481,7 +481,7 @@ sub update { my $ids = delete $params->{ids}; defined $ids || ThrowCodeError('param_required', { param => 'ids' }); - my @bugs = map { Bugzilla::Bug->check($_) } @$ids; + my @bugs = map { Bugzilla::Bug->check_for_edit($_) } @$ids; my %values = %$params; $values{other_bugs} = \@bugs; @@ -497,11 +497,6 @@ sub update { delete $values{flags}; foreach my $bug (@bugs) { - if (!$user->can_edit_product($bug->product_obj->id) ) { - ThrowUserError("product_edit_denied", - { product => $bug->product }); - } - $bug->set_all(\%values); } @@ -632,11 +627,7 @@ sub add_attachment { defined $params->{data} || ThrowCodeError('param_required', { param => 'data' }); - my @bugs = map { Bugzilla::Bug->check($_) } @{ $params->{ids} }; - foreach my $bug (@bugs) { - Bugzilla->user->can_edit_product($bug->product_id) - || ThrowUserError("product_edit_denied", {product => $bug->product}); - } + my @bugs = map { Bugzilla::Bug->check_for_edit($_) } @{ $params->{ids} }; my @created; $dbh->bz_start_transaction(); @@ -681,11 +672,8 @@ sub add_comment { (defined $comment && trim($comment) ne '') || ThrowCodeError('param_required', { param => 'comment' }); - my $bug = Bugzilla::Bug->check($params->{id}); + my $bug = Bugzilla::Bug->check_for_edit($params->{id}); - $user->can_edit_product($bug->product_id) - || ThrowUserError("product_edit_denied", {product => $bug->product}); - # Backwards-compatibility for versions before 3.6 if (defined $params->{private}) { $params->{is_private} = delete $params->{private}; @@ -726,10 +714,7 @@ sub update_see_also { my @bugs; foreach my $id (@{ $params->{ids} }) { - my $bug = Bugzilla::Bug->check($id); - $user->can_edit_product($bug->product_id) - || ThrowUserError("product_edit_denied", - { product => $bug->product }); + my $bug = Bugzilla::Bug->check_for_edit($id); push(@bugs, $bug); if ($remove) { $bug->remove_see_also($_) foreach @$remove; diff --git a/process_bug.cgi b/process_bug.cgi index 9ba03e277..dc5ad9138 100755 --- a/process_bug.cgi +++ b/process_bug.cgi @@ -96,14 +96,14 @@ sub should_set { # Create a list of objects for all bugs being modified in this request. my @bug_objects; if (defined $cgi->param('id')) { - my $bug = Bugzilla::Bug->check(scalar $cgi->param('id')); + my $bug = Bugzilla::Bug->check_for_edit(scalar $cgi->param('id')); $cgi->param('id', $bug->id); push(@bug_objects, $bug); } else { foreach my $i ($cgi->param()) { if ($i =~ /^id_([1-9][0-9]*)/) { my $id = $1; - push(@bug_objects, Bugzilla::Bug->check($id)); + push(@bug_objects, Bugzilla::Bug->check_for_edit($id)); } } } @@ -213,15 +213,6 @@ else { $action = 'nothing'; } -# For each bug, we have to check if the user can edit the bug the product -# is currently in, before we allow them to change anything. -foreach my $bug (@bug_objects) { - if (!$user->can_edit_product($bug->product_obj->id)) { - ThrowUserError("product_edit_denied", - { product => $bug->product }); - } -} - # Component, target_milestone, and version are in here just in case # the 'product' field wasn't defined in the CGI. It doesn't hurt to set # them twice. |