From 6d9f4df1cac372b2bfbcdb1fe947c302964fb509 Mon Sep 17 00:00:00 2001
From: "justdave%syndicomm.com" <>
Date: Wed, 6 Jun 2001 11:32:45 +0000
Subject: Fix for bug 82781: describecomponents.cgi now checks viewing
 permissions to make sure you can see a product Patch by Myk Melez
 <myk@mozilla.org> r= tara@tequilarista.org

---
 describecomponents.cgi | 44 ++++++++++++++++++++++++++++++++++++++++++--
 1 file changed, 42 insertions(+), 2 deletions(-)

(limited to 'describecomponents.cgi')

diff --git a/describecomponents.cgi b/describecomponents.cgi
index 4353af2fc..95f5ba316 100755
--- a/describecomponents.cgi
+++ b/describecomponents.cgi
@@ -30,10 +30,50 @@ require "CGI.pl";
 ConnectToDatabase();
 GetVersionTable();
 
+quietly_check_login();
+
+######################################################################
+# Begin Data/Security Validation
+######################################################################
+
+# If this installation uses bug groups to restrict access to products,
+# only show the user products that don't have their own bug group or
+# those whose bug group the user is a member of.  Otherwise, if this 
+# installation doesn't use bug groups, show the user all legal products.
+my @products;
+if ( Param("usebuggroups") ) {
+  @products = grep( !GroupExists($_) || UserInGroup($_) , @::legal_product );
+} else {
+  @products = @::legal_product;
+}
+
+if ( defined $::FORM{'product'} ) {
+  # Make sure the user specified a valid product name.  Note that
+  # if the user specifies a valid product name but is not authorized
+  # to access that product, they will receive a different error message
+  # which could enable people guessing product names to determine
+  # whether or not certain products exist in Bugzilla, even if they
+  # cannot get any other information about that product.
+  grep( $::FORM{'product'} eq $_ , @::legal_product )
+    || DisplayError("The product name is invalid.")
+    && exit;
+
+  # Make sure the user is authorized to access this product.
+  if ( Param("usebuggroups") && GroupExists($::FORM{'product'}) ) {
+    UserInGroup($::FORM{'product'})
+      || DisplayError("You are not authorized to access that product.")
+      && exit;
+  }
+}
+
+######################################################################
+# End Data/Security Validation
+######################################################################
+
 print "Content-type: text/html\n\n";
 
 my $product = $::FORM{'product'};
-if (!defined $product || lsearch(\@::legal_product, $product) < 0) {
+if (!defined $product || lsearch(\@products, $product) < 0) {
 
     PutHeader("Bugzilla component description");
     print "
@@ -42,7 +82,7 @@ Please specify the product whose components you want described.
 <P>
 Product: <SELECT NAME=product>
 ";
-    print make_options(\@::legal_product);
+    print make_options(\@products);
     print "
 </SELECT>
 <P>
-- 
cgit v1.2.3-24-g4f1b