Bug 686227: Users with editcomponents privs must be able to add products they…

Bug 686227: Users with editcomponents privs must be able to add products they cannot see to the inclusion and exclusion lists when creating or editing a flagtype r=dkl a=LpSolit

Bug 686227: Users with editcomponents privs must be able to add products they…
31829532 · Frédéric Buclin · ce96ea37 · 31829532
Commit 31829532 authored Sep 17, 2011 by Frédéric Buclin
Show whitespace changes
Inline Side-by-side

Showing with 18 additions and 2 deletions

FlagType.pm Bugzilla/FlagType.pm +18 -2

No files found.
--- a/Bugzilla/FlagType.pm
+++ b/Bugzilla/FlagType.pm
@@ -357,7 +357,15 @@ sub set_request_group    { $_[0]->set('request_group_id', $_[1]); }
 sub set_clusions {
    my ($self, $list) = @_;
+    my $user = Bugzilla->user;
    my %products;
+    my $params = {};
+    # If the user has editcomponents privs, then we only need to make sure
+    # that the product exists.
+    if ($user->in_group('editcomponents')) {
+        $params->{allow_inaccessible} = 1;
+    }
    foreach my $category (keys %$list) {
        my %clusions;
@@ -369,8 +377,16 @@ sub set_clusions {
            my $comp_name = '__Any__';
            # Does the product exist?
            if ($prod_id) {
-                $products{$prod_id} ||= Bugzilla::Product->check({ id => $prod_id });
+                detaint_natural($prod_id)
-                detaint_natural($prod_id);
+                  || ThrowCodeError('param_must_be_numeric',
+                                    { function => 'Bugzilla::FlagType::set_clusions' });
+                if (!$products{$prod_id}) {
+                    $params->{id} = $prod_id;
+                    $products{$prod_id} = Bugzilla::Product->check($params);
+                    $user->in_group('editcomponents', $prod_id)
+                      || ThrowUserError('product_access_denied', $params);
+                }
                $prod_name = $products{$prod_id}->name;
                # Does the component belong to this product?