From e2f691c9eb53c6a9c8b02b740b444e6d558e35e8 Mon Sep 17 00:00:00 2001 From: "lpsolit%gmail.com" <> Date: Mon, 12 Dec 2005 11:12:25 +0000 Subject: Bug 271596: editcomponents priv allows you to see/edit products you don't have access to - Patch by Frédéric Buclin r=wicked a=justdave MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- editversions.cgi | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) (limited to 'editversions.cgi') diff --git a/editversions.cgi b/editversions.cgi index eae1001ca..be2c8a3c6 100755 --- a/editversions.cgi +++ b/editversions.cgi @@ -69,20 +69,22 @@ my $showbugcounts = (defined $cgi->param('showbugcounts')); # unless ($product_name) { - - my @products = Bugzilla::Product::get_all_products(); - + $vars->{'products'} = $user->get_selectable_products; $vars->{'showbugcounts'} = $showbugcounts; - $vars->{'products'} = \@products; - $template->process("admin/versions/select-product.html.tmpl", - $vars) - || ThrowTemplateError($template->error()); + $template->process("admin/versions/select-product.html.tmpl", $vars) + || ThrowTemplateError($template->error()); exit; } +# First make sure the product name is valid. my $product = Bugzilla::Product::check_product($product_name); +# Then make sure the user is allowed to edit properties of this product. +$user->can_see_product($product->name) + || ThrowUserError('product_access_denied', {product => $product->name}); + + # # action='' -> Show nice list of versions # -- cgit v1.2.3-24-g4f1b