From e2f691c9eb53c6a9c8b02b740b444e6d558e35e8 Mon Sep 17 00:00:00 2001
From: "lpsolit%gmail.com" <>
Date: Mon, 12 Dec 2005 11:12:25 +0000
Subject: Bug 271596: editcomponents priv allows you to see/edit products you
 don't have access to - Patch by Frédéric Buclin <LpSolit@gmail.com> r=wicked
 a=justdave
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 Bugzilla/User.pm | 22 ++++++++++++++++++----
 1 file changed, 18 insertions(+), 4 deletions(-)

(limited to 'Bugzilla/User.pm')

diff --git a/Bugzilla/User.pm b/Bugzilla/User.pm
index d35077a4b..9f6c415ef 100644
--- a/Bugzilla/User.pm
+++ b/Bugzilla/User.pm
@@ -452,12 +452,15 @@ sub can_see_product {
 
 sub get_selectable_products {
     my $self = shift;
+    my $classification_id = shift;
 
     if (defined $self->{selectable_products}) {
         return $self->{selectable_products};
     }
 
     my $dbh = Bugzilla->dbh;
+    my @params = ();
+
     my $query = "SELECT id " .
                 "FROM products " .
                 "LEFT JOIN group_control_map " .
@@ -470,9 +473,17 @@ sub get_selectable_products {
     }
     $query .= "AND group_id NOT IN(" . 
                $self->groups_as_string . ") " .
-              "WHERE group_id IS NULL ORDER BY name";
+              "WHERE group_id IS NULL ";
+
+    if (Param('useclassification') && $classification_id) {
+        $query .= "AND classification_id = ? ";
+        detaint_natural($classification_id);
+        push(@params, $classification_id);
+    }
 
-    my $prod_ids = $dbh->selectcol_arrayref($query);
+    $query .= "ORDER BY name";
+
+    my $prod_ids = $dbh->selectcol_arrayref($query, undef, @params);
     my @products;
     foreach my $prod_id (@$prod_ids) {
         push(@products, new Bugzilla::Product($prod_id));
@@ -1603,9 +1614,12 @@ method should be called in such a case to force reresolution of these groups.
 
 =item C<get_selectable_products>
 
- Description: Returns all products the user is allowed to access.
+ Description: Returns all products the user is allowed to access. This list
+              is restricted to some given classification if $classification_id
+              is given.
 
- Params:      none
+ Params:      $classification_id - (optional) The ID of the classification
+                                   the products belong to.
 
  Returns:     An array of product objects, sorted by the product name.
 
-- 
cgit v1.2.3-24-g4f1b