Commit 8e3d2def authored by Simon Green's avatar Simon Green Committed by Simon Green

Bug 1009406 - A user with local editcomponents privs cannot update the inclusion…

Bug 1009406 - A user with local editcomponents privs cannot update the inclusion and exclusion lists when the flagtype is already restricted to products the user cannot edit r=dkl, a=simon
parent 1e5bdcd7
...@@ -39,6 +39,7 @@ use Bugzilla::Util; ...@@ -39,6 +39,7 @@ use Bugzilla::Util;
use Bugzilla::Group; use Bugzilla::Group;
use Email::Address; use Email::Address;
use List::MoreUtils qw(uniq);
use base qw(Bugzilla::Object); use base qw(Bugzilla::Object);
...@@ -369,8 +370,6 @@ sub set_clusions { ...@@ -369,8 +370,6 @@ sub set_clusions {
if (!$products{$prod_id}) { if (!$products{$prod_id}) {
$params->{id} = $prod_id; $params->{id} = $prod_id;
$products{$prod_id} = Bugzilla::Product->check($params); $products{$prod_id} = Bugzilla::Product->check($params);
$user->in_group('editcomponents', $prod_id)
|| ThrowUserError('product_access_denied', $params);
} }
$prod_name = $products{$prod_id}->name; $prod_name = $products{$prod_id}->name;
...@@ -396,6 +395,22 @@ sub set_clusions { ...@@ -396,6 +395,22 @@ sub set_clusions {
$clusions{"$prod_name:$comp_name"} = "$prod_id:$comp_id"; $clusions{"$prod_name:$comp_name"} = "$prod_id:$comp_id";
$clusions_as_hash{$prod_id}->{$comp_id} = 1; $clusions_as_hash{$prod_id}->{$comp_id} = 1;
} }
# Check the user has the editcomponent permission on products that are changing
if (! $user->in_group('editcomponents')) {
my $current_clusions = $self->$category;
my ($removed, $added)
= diff_arrays([ values %$current_clusions ], [ values %clusions ]);
my @changed_product_ids
= uniq map { substr($_, 0, index($_, ':')) } @$removed, @$added;
foreach my $product_id (@changed_product_ids) {
$user->in_group('editcomponents', $product_id)
|| ThrowUserError('product_access_denied',
{ name => $products{$product_id}->name });
}
}
# Set the changes
$self->{$category} = \%clusions; $self->{$category} = \%clusions;
$self->{"${category}_as_hash"} = \%clusions_as_hash; $self->{"${category}_as_hash"} = \%clusions_as_hash;
$self->{"_update_$category"} = 1; $self->{"_update_$category"} = 1;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment