From e2f691c9eb53c6a9c8b02b740b444e6d558e35e8 Mon Sep 17 00:00:00 2001
From: "lpsolit%gmail.com" <>
Date: Mon, 12 Dec 2005 11:12:25 +0000
Subject: Bug 271596: editcomponents priv allows you to see/edit products you
 don't have access to - Patch by Frédéric Buclin <LpSolit@gmail.com> r=wicked
 a=justdave
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 editproducts.cgi | 53 ++++++++++++++++++++++++++++++++++++++---------------
 1 file changed, 38 insertions(+), 15 deletions(-)

(limited to 'editproducts.cgi')

diff --git a/editproducts.cgi b/editproducts.cgi
index b4007a2f4..2b7c5dc5d 100755
--- a/editproducts.cgi
+++ b/editproducts.cgi
@@ -82,15 +82,10 @@ if (Param('useclassification')
     && !$classification_name
     && !$product_name)
 {
-    my @classifications =
-        Bugzilla::Classification::get_all_classifications();
+    $vars->{'classifications'} = $user->get_selectable_classifications;
     
-    $vars->{'classifications'} = \@classifications;
-    
-    $template->process("admin/products/list-classifications.html.tmpl",
-                       $vars)
+    $template->process("admin/products/list-classifications.html.tmpl", $vars)
         || ThrowTemplateError($template->error());
-
     exit;
 }
 
@@ -101,19 +96,19 @@ if (Param('useclassification')
 #
 
 if (!$action && !$product_name) {
-    my @products;
+    my $products;
 
     if (Param('useclassification')) {
         my $classification = 
             Bugzilla::Classification::check_classification($classification_name);
 
-        @products = @{$classification->products};
+        $products = $user->get_selectable_products($classification->id);
         $vars->{'classification'} = $classification;
     } else {
-        @products = Bugzilla::Product::get_all_products;
+        $products = $user->get_selectable_products;
     }
 
-    $vars->{'products'} = \@products;
+    $vars->{'products'} = $products;
     $vars->{'showbugcounts'} = $showbugcounts;
 
     $template->process("admin/products/list.html.tmpl", $vars)
@@ -327,9 +322,13 @@ if ($action eq 'new') {
 #
 
 if ($action eq 'del') {
-    
+    # First make sure the product name is valid.
     my $product = Bugzilla::Product::check_product($product_name);
 
+    # Then make sure the user is allowed to edit properties of this product.
+    $user->can_see_product($product->name)
+      || ThrowUserError('product_access_denied', {product => $product->name});
+
     if (Param('useclassification')) {
         my $classification = 
             Bugzilla::Classification::check_classification($classification_name);
@@ -353,8 +352,12 @@ if ($action eq 'del') {
 #
 
 if ($action eq 'delete') {
-    
+    # First make sure the product name is valid.
     my $product = Bugzilla::Product::check_product($product_name);
+
+    # Then make sure the user is allowed to edit properties of this product.
+    $user->can_see_product($product->name)
+      || ThrowUserError('product_access_denied', {product => $product->name});
     
     $vars->{'product'} = $product;
 
@@ -425,9 +428,13 @@ if ($action eq 'delete') {
 #
 
 if ($action eq 'edit' || (!$action && $product_name)) {
-
+    # First make sure the product name is valid.
     my $product = Bugzilla::Product::check_product($product_name);
 
+    # Then make sure the user is allowed to edit properties of this product.
+    $user->can_see_product($product->name)
+      || ThrowUserError('product_access_denied', {product => $product->name});
+
     if (Param('useclassification')) {
         my $classification; 
         if (!$classification_name) {
@@ -476,8 +483,13 @@ if ($action eq 'edit' || (!$action && $product_name)) {
 #
 
 if ($action eq 'updategroupcontrols') {
-
+    # First make sure the product name is valid.
     my $product = Bugzilla::Product::check_product($product_name);
+
+    # Then make sure the user is allowed to edit properties of this product.
+    $user->can_see_product($product->name)
+      || ThrowUserError('product_access_denied', {product => $product->name});
+
     my @now_na = ();
     my @now_mandatory = ();
     foreach my $f ($cgi->param()) {
@@ -739,8 +751,13 @@ if ($action eq 'update') {
 
     my $checkvotes = 0;
 
+    # First make sure the product name is valid.
     my $product_old = Bugzilla::Product::check_product($product_old_name);
 
+    # Then make sure the user is allowed to edit properties of this product.
+    $user->can_see_product($product_old->name)
+      || ThrowUserError('product_access_denied', {product => $product_old->name});
+
     if (Param('useclassification')) {
         my $classification; 
         if (!$classification_name) {
@@ -971,7 +988,13 @@ if ($action eq 'update') {
 #
 
 if ($action eq 'editgroupcontrols') {
+    # First make sure the product name is valid.
     my $product = Bugzilla::Product::check_product($product_name);
+
+    # Then make sure the user is allowed to edit properties of this product.
+    $user->can_see_product($product->name)
+      || ThrowUserError('product_access_denied', {product => $product->name});
+
     # Display a group if it is either enabled or has bugs for this product.
     my $groups = $dbh->selectall_arrayref(
         'SELECT id, name, entry, membercontrol, othercontrol, canedit,
-- 
cgit v1.2.3-24-g4f1b