From c17a0e4f5bc47334d459cb1ff78f3aef1f0ea358 Mon Sep 17 00:00:00 2001
From: "lpsolit%gmail.com" <>
Date: Wed, 3 Jun 2009 10:51:23 +0000
Subject: Bug 494072: editvalues.cgi lets you edit product names - Patch by
 Frédéric Buclin <LpSolit@gmail.com> r/a=mkanat
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 editvalues.cgi | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

(limited to 'editvalues.cgi')

diff --git a/editvalues.cgi b/editvalues.cgi
index 5b82cee01..3c553c8d1 100755
--- a/editvalues.cgi
+++ b/editvalues.cgi
@@ -71,11 +71,16 @@ Bugzilla->user->in_group('admin') ||
 my $action = trim($cgi->param('action')  || '');
 my $token  = $cgi->param('token');
 
+# Fields listed here must not be edited from this interface.
+my @non_editable_fields = qw(product);
+my %block_list = map { $_ => 1 } @non_editable_fields;
+
 #
 # field = '' -> Show nice list of fields
 #
 if (!$cgi->param('field')) {
-    my @field_list = Bugzilla->get_fields({ is_select => 1 });
+    my @field_list = grep { !$block_list{$_->name} }
+                       Bugzilla->get_fields({ is_select => 1 });
 
     $vars->{'fields'} = \@field_list;
     $template->process("admin/fieldvalues/select-field.html.tmpl", $vars)
@@ -85,7 +90,7 @@ if (!$cgi->param('field')) {
 
 # At this point, the field must be defined.
 my $field = Bugzilla::Field->check($cgi->param('field'));
-if (!$field->is_select) {
+if (!$field->is_select || $block_list{$field->name}) {
     ThrowUserError('fieldname_invalid', { field => $field });
 }
 $vars->{'field'} = $field;
-- 
cgit v1.2.3-24-g4f1b