From e2f691c9eb53c6a9c8b02b740b444e6d558e35e8 Mon Sep 17 00:00:00 2001
From: "lpsolit%gmail.com" <>
Date: Mon, 12 Dec 2005 11:12:25 +0000
Subject: Bug 271596: editcomponents priv allows you to see/edit products you
 don't have access to - Patch by Frédéric Buclin <LpSolit@gmail.com> r=wicked
 a=justdave
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 editmilestones.cgi | 16 +++++++++-------
 1 file changed, 9 insertions(+), 7 deletions(-)

(limited to 'editmilestones.cgi')

diff --git a/editmilestones.cgi b/editmilestones.cgi
index 95babd737..c87828526 100755
--- a/editmilestones.cgi
+++ b/editmilestones.cgi
@@ -60,20 +60,22 @@ my $showbugcounts = (defined $cgi->param('showbugcounts'));
 #
 
 unless ($product_name) {
-    
-    my @products = Bugzilla::Product::get_all_products();
-
+    $vars->{'products'} = $user->get_selectable_products;
     $vars->{'showbugcounts'} = $showbugcounts;
-    $vars->{'products'} = \@products;
-    $template->process("admin/milestones/select-product.html.tmpl",
-                       $vars)
-      || ThrowTemplateError($template->error());
 
+    $template->process("admin/milestones/select-product.html.tmpl", $vars)
+      || ThrowTemplateError($template->error());
     exit;
 }
 
+# First make sure the product name is valid.
 my $product = Bugzilla::Product::check_product($product_name);
 
+# Then make sure the user is allowed to edit properties of this product.
+$user->can_see_product($product->name)
+  || ThrowUserError('product_access_denied', {product => $product->name});
+
+
 #
 # action='' -> Show nice list of milestones
 #
-- 
cgit v1.2.3-24-g4f1b