From 2039a990c46a153a30a15b6e76e19062c5565e02 Mon Sep 17 00:00:00 2001 From: "lpsolit%gmail.com" <> Date: Sat, 1 Aug 2009 12:35:46 +0000 Subject: Bug 507389: [SECURITY] Users can see all products when editing bugs - Patch by Frédéric Buclin r=mkanat a=LpSolit MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- template/en/default/bug/edit.html.tmpl | 8 ++++++++ template/en/default/bug/field.html.tmpl | 6 +++++- 2 files changed, 13 insertions(+), 1 deletion(-) (limited to 'template') diff --git a/template/en/default/bug/edit.html.tmpl b/template/en/default/bug/edit.html.tmpl index 9434271d8..2ce19833e 100644 --- a/template/en/default/bug/edit.html.tmpl +++ b/template/en/default/bug/edit.html.tmpl @@ -375,8 +375,16 @@ [%#############%] + [% IF bug.check_can_change_field('product', 0, 1) %] + [% prod_list = user.get_enterable_products %] + [% IF NOT user.can_enter_product(bug.product) %] + [% prod_list.unshift(bug.product_obj) %] + [% END %] + [% END %] + [% INCLUDE bug/field.html.tmpl bug = bug, field = select_fields.product, + override_legal_values = prod_list desc_url = 'describecomponents.cgi', value = bug.product editable = bug.check_can_change_field('product', 0, 1) %] diff --git a/template/en/default/bug/field.html.tmpl b/template/en/default/bug/field.html.tmpl index 039910f1d..e8ed85010 100644 --- a/template/en/default/bug/field.html.tmpl +++ b/template/en/default/bug/field.html.tmpl @@ -23,6 +23,7 @@ [%# INTERFACE: # field: a Bugzilla::Field object # value: The value of the field for this bug. + # override_legal_values (optional): The list of legal values, for select fields. # editable: Whether the field should be displayed as an editable # or as just the plain text of its value. # allow_dont_change: display the --do_not_change-- option for select fields. @@ -130,7 +131,10 @@ [% dontchange FILTER html %] [% END %] - [% FOREACH legal_value = field.legal_values %] + [% IF NOT override_legal_values %] + [% override_legal_values = field.legal_values %] + [% END %] + [% FOREACH legal_value = override_legal_values %] [% SET control_value = legal_value.visibility_value %] [% SET control_field = field.value_field %]