diff options
-rw-r--r-- | Bugzilla/User.pm | 22 | ||||
-rwxr-xr-x | editcomponents.cgi | 18 | ||||
-rwxr-xr-x | editmilestones.cgi | 16 | ||||
-rwxr-xr-x | editproducts.cgi | 53 | ||||
-rwxr-xr-x | editversions.cgi | 16 | ||||
-rw-r--r-- | template/en/default/global/user-error.html.tmpl | 4 |
6 files changed, 88 insertions, 41 deletions
diff --git a/Bugzilla/User.pm b/Bugzilla/User.pm index d35077a4b..9f6c415ef 100644 --- a/Bugzilla/User.pm +++ b/Bugzilla/User.pm @@ -452,12 +452,15 @@ sub can_see_product { sub get_selectable_products { my $self = shift; + my $classification_id = shift; if (defined $self->{selectable_products}) { return $self->{selectable_products}; } my $dbh = Bugzilla->dbh; + my @params = (); + my $query = "SELECT id " . "FROM products " . "LEFT JOIN group_control_map " . @@ -470,9 +473,17 @@ sub get_selectable_products { } $query .= "AND group_id NOT IN(" . $self->groups_as_string . ") " . - "WHERE group_id IS NULL ORDER BY name"; + "WHERE group_id IS NULL "; + + if (Param('useclassification') && $classification_id) { + $query .= "AND classification_id = ? "; + detaint_natural($classification_id); + push(@params, $classification_id); + } - my $prod_ids = $dbh->selectcol_arrayref($query); + $query .= "ORDER BY name"; + + my $prod_ids = $dbh->selectcol_arrayref($query, undef, @params); my @products; foreach my $prod_id (@$prod_ids) { push(@products, new Bugzilla::Product($prod_id)); @@ -1603,9 +1614,12 @@ method should be called in such a case to force reresolution of these groups. =item C<get_selectable_products> - Description: Returns all products the user is allowed to access. + Description: Returns all products the user is allowed to access. This list + is restricted to some given classification if $classification_id + is given. - Params: none + Params: $classification_id - (optional) The ID of the classification + the products belong to. Returns: An array of product objects, sorted by the product name. diff --git a/editcomponents.cgi b/editcomponents.cgi index 60074cb40..d514fb3bf 100755 --- a/editcomponents.cgi +++ b/editcomponents.cgi @@ -20,6 +20,7 @@ # # Contributor(s): Holger Schurig <holgerschurig@nikocity.de> # Terry Weissman <terry@mozilla.org> +# Frédéric Buclin <LpSolit@gmail.com> # # Direct any questions on this source code to # @@ -71,21 +72,22 @@ my $showbugcounts = (defined $cgi->param('showbugcounts')); # unless ($product_name) { - - my @products = Bugzilla::Product::get_all_products(); - + $vars->{'products'} = $user->get_selectable_products; $vars->{'showbugcounts'} = $showbugcounts; - $vars->{'products'} = \@products; - $template->process("admin/components/select-product.html.tmpl", - $vars) - || ThrowTemplateError($template->error()); - + $template->process("admin/components/select-product.html.tmpl", $vars) + || ThrowTemplateError($template->error()); exit; } +# First make sure the product name is valid. my $product = Bugzilla::Product::check_product($product_name); +# Then make sure the user is allowed to edit properties of this product. +$user->can_see_product($product->name) + || ThrowUserError('product_access_denied', {product => $product->name}); + + # # action='' -> Show nice list of components # diff --git a/editmilestones.cgi b/editmilestones.cgi index 95babd737..c87828526 100755 --- a/editmilestones.cgi +++ b/editmilestones.cgi @@ -60,20 +60,22 @@ my $showbugcounts = (defined $cgi->param('showbugcounts')); # unless ($product_name) { - - my @products = Bugzilla::Product::get_all_products(); - + $vars->{'products'} = $user->get_selectable_products; $vars->{'showbugcounts'} = $showbugcounts; - $vars->{'products'} = \@products; - $template->process("admin/milestones/select-product.html.tmpl", - $vars) - || ThrowTemplateError($template->error()); + $template->process("admin/milestones/select-product.html.tmpl", $vars) + || ThrowTemplateError($template->error()); exit; } +# First make sure the product name is valid. my $product = Bugzilla::Product::check_product($product_name); +# Then make sure the user is allowed to edit properties of this product. +$user->can_see_product($product->name) + || ThrowUserError('product_access_denied', {product => $product->name}); + + # # action='' -> Show nice list of milestones # diff --git a/editproducts.cgi b/editproducts.cgi index b4007a2f4..2b7c5dc5d 100755 --- a/editproducts.cgi +++ b/editproducts.cgi @@ -82,15 +82,10 @@ if (Param('useclassification') && !$classification_name && !$product_name) { - my @classifications = - Bugzilla::Classification::get_all_classifications(); + $vars->{'classifications'} = $user->get_selectable_classifications; - $vars->{'classifications'} = \@classifications; - - $template->process("admin/products/list-classifications.html.tmpl", - $vars) + $template->process("admin/products/list-classifications.html.tmpl", $vars) || ThrowTemplateError($template->error()); - exit; } @@ -101,19 +96,19 @@ if (Param('useclassification') # if (!$action && !$product_name) { - my @products; + my $products; if (Param('useclassification')) { my $classification = Bugzilla::Classification::check_classification($classification_name); - @products = @{$classification->products}; + $products = $user->get_selectable_products($classification->id); $vars->{'classification'} = $classification; } else { - @products = Bugzilla::Product::get_all_products; + $products = $user->get_selectable_products; } - $vars->{'products'} = \@products; + $vars->{'products'} = $products; $vars->{'showbugcounts'} = $showbugcounts; $template->process("admin/products/list.html.tmpl", $vars) @@ -327,9 +322,13 @@ if ($action eq 'new') { # if ($action eq 'del') { - + # First make sure the product name is valid. my $product = Bugzilla::Product::check_product($product_name); + # Then make sure the user is allowed to edit properties of this product. + $user->can_see_product($product->name) + || ThrowUserError('product_access_denied', {product => $product->name}); + if (Param('useclassification')) { my $classification = Bugzilla::Classification::check_classification($classification_name); @@ -353,8 +352,12 @@ if ($action eq 'del') { # if ($action eq 'delete') { - + # First make sure the product name is valid. my $product = Bugzilla::Product::check_product($product_name); + + # Then make sure the user is allowed to edit properties of this product. + $user->can_see_product($product->name) + || ThrowUserError('product_access_denied', {product => $product->name}); $vars->{'product'} = $product; @@ -425,9 +428,13 @@ if ($action eq 'delete') { # if ($action eq 'edit' || (!$action && $product_name)) { - + # First make sure the product name is valid. my $product = Bugzilla::Product::check_product($product_name); + # Then make sure the user is allowed to edit properties of this product. + $user->can_see_product($product->name) + || ThrowUserError('product_access_denied', {product => $product->name}); + if (Param('useclassification')) { my $classification; if (!$classification_name) { @@ -476,8 +483,13 @@ if ($action eq 'edit' || (!$action && $product_name)) { # if ($action eq 'updategroupcontrols') { - + # First make sure the product name is valid. my $product = Bugzilla::Product::check_product($product_name); + + # Then make sure the user is allowed to edit properties of this product. + $user->can_see_product($product->name) + || ThrowUserError('product_access_denied', {product => $product->name}); + my @now_na = (); my @now_mandatory = (); foreach my $f ($cgi->param()) { @@ -739,8 +751,13 @@ if ($action eq 'update') { my $checkvotes = 0; + # First make sure the product name is valid. my $product_old = Bugzilla::Product::check_product($product_old_name); + # Then make sure the user is allowed to edit properties of this product. + $user->can_see_product($product_old->name) + || ThrowUserError('product_access_denied', {product => $product_old->name}); + if (Param('useclassification')) { my $classification; if (!$classification_name) { @@ -971,7 +988,13 @@ if ($action eq 'update') { # if ($action eq 'editgroupcontrols') { + # First make sure the product name is valid. my $product = Bugzilla::Product::check_product($product_name); + + # Then make sure the user is allowed to edit properties of this product. + $user->can_see_product($product->name) + || ThrowUserError('product_access_denied', {product => $product->name}); + # Display a group if it is either enabled or has bugs for this product. my $groups = $dbh->selectall_arrayref( 'SELECT id, name, entry, membercontrol, othercontrol, canedit, diff --git a/editversions.cgi b/editversions.cgi index eae1001ca..be2c8a3c6 100755 --- a/editversions.cgi +++ b/editversions.cgi @@ -69,20 +69,22 @@ my $showbugcounts = (defined $cgi->param('showbugcounts')); # unless ($product_name) { - - my @products = Bugzilla::Product::get_all_products(); - + $vars->{'products'} = $user->get_selectable_products; $vars->{'showbugcounts'} = $showbugcounts; - $vars->{'products'} = \@products; - $template->process("admin/versions/select-product.html.tmpl", - $vars) - || ThrowTemplateError($template->error()); + $template->process("admin/versions/select-product.html.tmpl", $vars) + || ThrowTemplateError($template->error()); exit; } +# First make sure the product name is valid. my $product = Bugzilla::Product::check_product($product_name); +# Then make sure the user is allowed to edit properties of this product. +$user->can_see_product($product->name) + || ThrowUserError('product_access_denied', {product => $product->name}); + + # # action='' -> Show nice list of versions # diff --git a/template/en/default/global/user-error.html.tmpl b/template/en/default/global/user-error.html.tmpl index e911b39d2..350f2c8a0 100644 --- a/template/en/default/global/user-error.html.tmpl +++ b/template/en/default/global/user-error.html.tmpl @@ -1015,6 +1015,10 @@ create the milestone '[% defaultmilestone FILTER html %]'</a> before it can be made the default milestone for product '[% product FILTER html %]'. + [% ELSIF error == "product_access_denied" %] + [% title = "Product Access Denied" %] + You are not allowed to edit properties of product '[% product FILTER html %]'. + [% ELSIF error == "product_blank_name" %] [% title = "Blank Product Name Not Allowed" %] You must enter a name for the new product. |