Skip to content

bugzilla
bugzilla
Commit 847191ac authored by Simon Green's avatar Simon Green Committed by Simon Green
Browse files
Options

Bug 1009406 - A user with local editcomponents privs cannot update the inclusion…

Bug 1009406 - A user with local editcomponents privs cannot update the inclusion and exclusion lists when the flagtype is already restricted to products the user cannot edit r=dkl, a=simon
parent caf21973
Hide whitespace changes
Inline Side-by-side
Showing with 17 additions and 2 deletions
Bugzilla/FlagType.pm
View file @ 847191ac
......@@ -41,6 +41,7 @@ use Bugzilla::Util;
use Bugzilla::Group;
use Email::Address;
use List::MoreUtils qw(uniq);
use parent qw(Bugzilla::Object);
......@@ -379,8 +380,6 @@ sub set_clusions {
if (!$products{$prod_id}) {
$params->{id} = $prod_id;
$products{$prod_id} = Bugzilla::Product->check($params);
$user->in_group('editcomponents', $prod_id)
|| ThrowUserError('product_access_denied', $params);
}
$prod_name = $products{$prod_id}->name;
......@@ -406,6 +405,22 @@ sub set_clusions {
$clusions{"$prod_name:$comp_name"} = "$prod_id:$comp_id";
$clusions_as_hash{$prod_id}->{$comp_id} = 1;
}
# Check the user has the editcomponent permission on products that are changing
if (! $user->in_group('editcomponents')) {
my $current_clusions = $self->$category;
my ($removed, $added)
= diff_arrays([ values %$current_clusions ], [ values %clusions ]);
my @changed_product_ids
= uniq map { substr($_, 0, index($_, ':')) } @$removed, @$added;
foreach my $product_id (@changed_product_ids) {
$user->in_group('editcomponents', $product_id)
|| ThrowUserError('product_access_denied',
{ name => $products{$product_id}->name });
}
}
# Set the changes
$self->{$category} = \%clusions;
$self->{"${category}_as_hash"} = \%clusions_as_hash;
$self->{"_update_$category"} = 1;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment