From 318295325c43fcc8fd3253c46525c3ce57df1329 Mon Sep 17 00:00:00 2001 From: Frédéric Buclin Date: Sat, 17 Sep 2011 13:43:43 +0200 Subject: Bug 686227: Users with editcomponents privs must be able to add products they cannot see to the inclusion and exclusion lists when creating or editing a flagtype r=dkl a=LpSolit --- Bugzilla/FlagType.pm | 20 ++++++++++++++++++-- 1 file changed, 18 insertions(+), 2 deletions(-) (limited to 'Bugzilla/FlagType.pm') diff --git a/Bugzilla/FlagType.pm b/Bugzilla/FlagType.pm index bd3f7b054..7f37dd884 100644 --- a/Bugzilla/FlagType.pm +++ b/Bugzilla/FlagType.pm @@ -357,7 +357,15 @@ sub set_request_group { $_[0]->set('request_group_id', $_[1]); } sub set_clusions { my ($self, $list) = @_; + my $user = Bugzilla->user; my %products; + my $params = {}; + + # If the user has editcomponents privs, then we only need to make sure + # that the product exists. + if ($user->in_group('editcomponents')) { + $params->{allow_inaccessible} = 1; + } foreach my $category (keys %$list) { my %clusions; @@ -369,8 +377,16 @@ sub set_clusions { my $comp_name = '__Any__'; # Does the product exist? if ($prod_id) { - $products{$prod_id} ||= Bugzilla::Product->check({ id => $prod_id }); - detaint_natural($prod_id); + detaint_natural($prod_id) + || ThrowCodeError('param_must_be_numeric', + { function => 'Bugzilla::FlagType::set_clusions' }); + + if (!$products{$prod_id}) { + $params->{id} = $prod_id; + $products{$prod_id} = Bugzilla::Product->check($params); + $user->in_group('editcomponents', $prod_id) + || ThrowUserError('product_access_denied', $params); + } $prod_name = $products{$prod_id}->name; # Does the component belong to this product? -- cgit v1.2.3-24-g4f1b