Skip to content

bugzilla
bugzilla
Commit 7a9a4fdc authored by Robert Webb's avatar Robert Webb Committed by Max Kanat-Alexander
Browse files
Options

Bug 683025 - Add a check_for_edit to Bugzilla::Bug to return the bug object

if the user can edit the bug r=mkanat, a=mkanat
parent 4055a481
Show whitespace changes
Inline Side-by-side
Showing with 17 additions and 37 deletions
Bugzilla/Bug.pm
View file @ 7a9a4fdc
...@@ -403,6 +403,16 @@ sub check { ...@@ -403,6 +403,16 @@ sub check {
return $self; return $self;
} }
sub check_for_edit {
my $class = shift;
my $bug = $class->check(@_);
Bugzilla->user->can_edit_product($bug->product_id)
|| ThrowUserError("product_edit_denied", { product => $bug->product });
return $bug;
}
sub check_is_visible { sub check_is_visible {
my $self = shift; my $self = shift;
my $user = Bugzilla->user; my $user = Bugzilla->user;
......
Bugzilla/BugUrl/Bugzilla/Local.pm
View file @ 7a9a4fdc
...@@ -119,7 +119,7 @@ sub _check_value { ...@@ -119,7 +119,7 @@ sub _check_value {
} }
my $ref_bug_id = $uri->query_param('id'); my $ref_bug_id = $uri->query_param('id');
my $ref_bug = Bugzilla::Bug->check($ref_bug_id); my $ref_bug = Bugzilla::Bug->check_for_edit($ref_bug_id);
my $self_bug_id = $params->{bug_id}; my $self_bug_id = $params->{bug_id};
$params->{ref_bug} = $ref_bug; $params->{ref_bug} = $ref_bug;
...@@ -127,12 +127,6 @@ sub _check_value { ...@@ -127,12 +127,6 @@ sub _check_value {
ThrowUserError('see_also_self_reference'); ThrowUserError('see_also_self_reference');
} }
my $product = $ref_bug->product_obj;
if (!Bugzilla->user->can_edit_product($product->id)) {
ThrowUserError("product_edit_denied",
{ product => $product->name });
}
return $uri; return $uri;
} }
......
Bugzilla/WebService/Bug.pm
View file @ 7a9a4fdc
...@@ -481,7 +481,7 @@ sub update { ...@@ -481,7 +481,7 @@ sub update {
my $ids = delete $params->{ids}; my $ids = delete $params->{ids};
defined $ids || ThrowCodeError('param_required', { param => 'ids' }); defined $ids || ThrowCodeError('param_required', { param => 'ids' });
my @bugs = map { Bugzilla::Bug->check($_) } @$ids; my @bugs = map { Bugzilla::Bug->check_for_edit($_) } @$ids;
my %values = %$params; my %values = %$params;
$values{other_bugs} = \@bugs; $values{other_bugs} = \@bugs;
...@@ -497,11 +497,6 @@ sub update { ...@@ -497,11 +497,6 @@ sub update {
delete $values{flags}; delete $values{flags};
foreach my $bug (@bugs) { foreach my $bug (@bugs) {
if (!$user->can_edit_product($bug->product_obj->id) ) {
ThrowUserError("product_edit_denied",
{ product => $bug->product });
}
$bug->set_all(\%values); $bug->set_all(\%values);
} }
...@@ -632,11 +627,7 @@ sub add_attachment { ...@@ -632,11 +627,7 @@ sub add_attachment {
defined $params->{data} defined $params->{data}
|| ThrowCodeError('param_required', { param => 'data' }); || ThrowCodeError('param_required', { param => 'data' });
my @bugs = map { Bugzilla::Bug->check($_) } @{ $params->{ids} }; my @bugs = map { Bugzilla::Bug->check_for_edit($_) } @{ $params->{ids} };
foreach my $bug (@bugs) {
Bugzilla->user->can_edit_product($bug->product_id)
|| ThrowUserError("product_edit_denied", {product => $bug->product});
}
my @created; my @created;
$dbh->bz_start_transaction(); $dbh->bz_start_transaction();
...@@ -681,10 +672,7 @@ sub add_comment { ...@@ -681,10 +672,7 @@ sub add_comment {
(defined $comment && trim($comment) ne '') (defined $comment && trim($comment) ne '')
|| ThrowCodeError('param_required', { param => 'comment' }); || ThrowCodeError('param_required', { param => 'comment' });
my $bug = Bugzilla::Bug->check($params->{id}); my $bug = Bugzilla::Bug->check_for_edit($params->{id});
$user->can_edit_product($bug->product_id)
|| ThrowUserError("product_edit_denied", {product => $bug->product});
# Backwards-compatibility for versions before 3.6 # Backwards-compatibility for versions before 3.6
if (defined $params->{private}) { if (defined $params->{private}) {
...@@ -726,10 +714,7 @@ sub update_see_also { ...@@ -726,10 +714,7 @@ sub update_see_also {
my @bugs; my @bugs;
foreach my $id (@{ $params->{ids} }) { foreach my $id (@{ $params->{ids} }) {
my $bug = Bugzilla::Bug->check($id); my $bug = Bugzilla::Bug->check_for_edit($id);
$user->can_edit_product($bug->product_id)
|| ThrowUserError("product_edit_denied",
{ product => $bug->product });
push(@bugs, $bug); push(@bugs, $bug);
if ($remove) { if ($remove) {
$bug->remove_see_also($_) foreach @$remove; $bug->remove_see_also($_) foreach @$remove;
......
process_bug.cgi
View file @ 7a9a4fdc
...@@ -96,14 +96,14 @@ sub should_set { ...@@ -96,14 +96,14 @@ sub should_set {
# Create a list of objects for all bugs being modified in this request. # Create a list of objects for all bugs being modified in this request.
my @bug_objects; my @bug_objects;
if (defined $cgi->param('id')) { if (defined $cgi->param('id')) {
my $bug = Bugzilla::Bug->check(scalar $cgi->param('id')); my $bug = Bugzilla::Bug->check_for_edit(scalar $cgi->param('id'));
$cgi->param('id', $bug->id); $cgi->param('id', $bug->id);
push(@bug_objects, $bug); push(@bug_objects, $bug);
} else { } else {
foreach my $i ($cgi->param()) { foreach my $i ($cgi->param()) {
if ($i =~ /^id_([1-9][0-9]*)/) { if ($i =~ /^id_([1-9][0-9]*)/) {
my $id = $1; my $id = $1;
push(@bug_objects, Bugzilla::Bug->check($id)); push(@bug_objects, Bugzilla::Bug->check_for_edit($id));
} }
} }
} }
...@@ -213,15 +213,6 @@ else { ...@@ -213,15 +213,6 @@ else {
$action = 'nothing'; $action = 'nothing';
} }
# For each bug, we have to check if the user can edit the bug the product
# is currently in, before we allow them to change anything.
foreach my $bug (@bug_objects) {
if (!$user->can_edit_product($bug->product_obj->id)) {
ThrowUserError("product_edit_denied",
{ product => $bug->product });
}
}
# Component, target_milestone, and version are in here just in case # Component, target_milestone, and version are in here just in case
# the 'product' field wasn't defined in the CGI. It doesn't hurt to set # the 'product' field wasn't defined in the CGI. It doesn't hurt to set
# them twice. # them twice.
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment