Skip to content

bugzilla
bugzilla
Commit e2f691c9 authored by lpsolit%gmail.com's avatar lpsolit%gmail.com
Browse files
Options

Bug 271596: editcomponents priv allows you to see/edit products you don't have…

Bug 271596: editcomponents priv allows you to see/edit products you don't have access to - Patch by Frédéric Buclin <LpSolit@gmail.com> r=wicked a=justdave
parent 545a57e3
Show whitespace changes
Inline Side-by-side
Showing with 88 additions and 41 deletions
Bugzilla/User.pm
View file @ e2f691c9
...@@ -452,12 +452,15 @@ sub can_see_product { ...@@ -452,12 +452,15 @@ sub can_see_product {
sub get_selectable_products { sub get_selectable_products {
my $self = shift; my $self = shift;
my $classification_id = shift;
if (defined $self->{selectable_products}) { if (defined $self->{selectable_products}) {
return $self->{selectable_products}; return $self->{selectable_products};
} }
my $dbh = Bugzilla->dbh; my $dbh = Bugzilla->dbh;
my @params = ();
my $query = "SELECT id " . my $query = "SELECT id " .
"FROM products " . "FROM products " .
"LEFT JOIN group_control_map " . "LEFT JOIN group_control_map " .
...@@ -470,9 +473,17 @@ sub get_selectable_products { ...@@ -470,9 +473,17 @@ sub get_selectable_products {
} }
$query .= "AND group_id NOT IN(" . $query .= "AND group_id NOT IN(" .
$self->groups_as_string . ") " . $self->groups_as_string . ") " .
"WHERE group_id IS NULL ORDER BY name"; "WHERE group_id IS NULL ";
if (Param('useclassification') && $classification_id) {
$query .= "AND classification_id = ? ";
detaint_natural($classification_id);
push(@params, $classification_id);
}
my $prod_ids = $dbh->selectcol_arrayref($query); $query .= "ORDER BY name";
my $prod_ids = $dbh->selectcol_arrayref($query, undef, @params);
my @products; my @products;
foreach my $prod_id (@$prod_ids) { foreach my $prod_id (@$prod_ids) {
push(@products, new Bugzilla::Product($prod_id)); push(@products, new Bugzilla::Product($prod_id));
...@@ -1603,9 +1614,12 @@ method should be called in such a case to force reresolution of these groups. ...@@ -1603,9 +1614,12 @@ method should be called in such a case to force reresolution of these groups.
=item C<get_selectable_products> =item C<get_selectable_products>
Description: Returns all products the user is allowed to access. Description: Returns all products the user is allowed to access. This list
is restricted to some given classification if $classification_id
is given.
Params: none Params: $classification_id - (optional) The ID of the classification
the products belong to.
Returns: An array of product objects, sorted by the product name. Returns: An array of product objects, sorted by the product name.
......
editcomponents.cgi
View file @ e2f691c9
...@@ -20,6 +20,7 @@ ...@@ -20,6 +20,7 @@
# #
# Contributor(s): Holger Schurig <holgerschurig@nikocity.de> # Contributor(s): Holger Schurig <holgerschurig@nikocity.de>
# Terry Weissman <terry@mozilla.org> # Terry Weissman <terry@mozilla.org>
# Frédéric Buclin <LpSolit@gmail.com>
# #
# Direct any questions on this source code to # Direct any questions on this source code to
# #
...@@ -71,21 +72,22 @@ my $showbugcounts = (defined $cgi->param('showbugcounts')); ...@@ -71,21 +72,22 @@ my $showbugcounts = (defined $cgi->param('showbugcounts'));
# #
unless ($product_name) { unless ($product_name) {
$vars->{'products'} = $user->get_selectable_products;
my @products = Bugzilla::Product::get_all_products();
$vars->{'showbugcounts'} = $showbugcounts; $vars->{'showbugcounts'} = $showbugcounts;
$vars->{'products'} = \@products;
$template->process("admin/components/select-product.html.tmpl",
$vars)
|| ThrowTemplateError($template->error());
$template->process("admin/components/select-product.html.tmpl", $vars)
|| ThrowTemplateError($template->error());
exit; exit;
} }
# First make sure the product name is valid.
my $product = Bugzilla::Product::check_product($product_name); my $product = Bugzilla::Product::check_product($product_name);
# Then make sure the user is allowed to edit properties of this product.
$user->can_see_product($product->name)
|| ThrowUserError('product_access_denied', {product => $product->name});
# #
# action='' -> Show nice list of components # action='' -> Show nice list of components
# #
......
editmilestones.cgi
View file @ e2f691c9
...@@ -60,20 +60,22 @@ my $showbugcounts = (defined $cgi->param('showbugcounts')); ...@@ -60,20 +60,22 @@ my $showbugcounts = (defined $cgi->param('showbugcounts'));
# #
unless ($product_name) { unless ($product_name) {
$vars->{'products'} = $user->get_selectable_products;
my @products = Bugzilla::Product::get_all_products();
$vars->{'showbugcounts'} = $showbugcounts; $vars->{'showbugcounts'} = $showbugcounts;
$vars->{'products'} = \@products;
$template->process("admin/milestones/select-product.html.tmpl",
$vars)
|| ThrowTemplateError($template->error());
$template->process("admin/milestones/select-product.html.tmpl", $vars)
|| ThrowTemplateError($template->error());
exit; exit;
} }
# First make sure the product name is valid.
my $product = Bugzilla::Product::check_product($product_name); my $product = Bugzilla::Product::check_product($product_name);
# Then make sure the user is allowed to edit properties of this product.
$user->can_see_product($product->name)
|| ThrowUserError('product_access_denied', {product => $product->name});
# #
# action='' -> Show nice list of milestones # action='' -> Show nice list of milestones
# #
......
editproducts.cgi
View file @ e2f691c9
...@@ -82,15 +82,10 @@ if (Param('useclassification') ...@@ -82,15 +82,10 @@ if (Param('useclassification')
&& !$classification_name && !$classification_name
&& !$product_name) && !$product_name)
{ {
my @classifications = $vars->{'classifications'} = $user->get_selectable_classifications;
Bugzilla::Classification::get_all_classifications();
$vars->{'classifications'} = \@classifications; $template->process("admin/products/list-classifications.html.tmpl", $vars)
$template->process("admin/products/list-classifications.html.tmpl",
$vars)
|| ThrowTemplateError($template->error()); || ThrowTemplateError($template->error());
exit; exit;
} }
...@@ -101,19 +96,19 @@ if (Param('useclassification') ...@@ -101,19 +96,19 @@ if (Param('useclassification')
# #
if (!$action && !$product_name) { if (!$action && !$product_name) {
my @products; my $products;
if (Param('useclassification')) { if (Param('useclassification')) {
my $classification = my $classification =
Bugzilla::Classification::check_classification($classification_name); Bugzilla::Classification::check_classification($classification_name);
@products = @{$classification->products}; $products = $user->get_selectable_products($classification->id);
$vars->{'classification'} = $classification; $vars->{'classification'} = $classification;
} else { } else {
@products = Bugzilla::Product::get_all_products; $products = $user->get_selectable_products;
} }
$vars->{'products'} = \@products; $vars->{'products'} = $products;
$vars->{'showbugcounts'} = $showbugcounts; $vars->{'showbugcounts'} = $showbugcounts;
$template->process("admin/products/list.html.tmpl", $vars) $template->process("admin/products/list.html.tmpl", $vars)
...@@ -327,9 +322,13 @@ if ($action eq 'new') { ...@@ -327,9 +322,13 @@ if ($action eq 'new') {
# #
if ($action eq 'del') { if ($action eq 'del') {
# First make sure the product name is valid.
my $product = Bugzilla::Product::check_product($product_name); my $product = Bugzilla::Product::check_product($product_name);
# Then make sure the user is allowed to edit properties of this product.
$user->can_see_product($product->name)
|| ThrowUserError('product_access_denied', {product => $product->name});
if (Param('useclassification')) { if (Param('useclassification')) {
my $classification = my $classification =
Bugzilla::Classification::check_classification($classification_name); Bugzilla::Classification::check_classification($classification_name);
...@@ -353,9 +352,13 @@ if ($action eq 'del') { ...@@ -353,9 +352,13 @@ if ($action eq 'del') {
# #
if ($action eq 'delete') { if ($action eq 'delete') {
# First make sure the product name is valid.
my $product = Bugzilla::Product::check_product($product_name); my $product = Bugzilla::Product::check_product($product_name);
# Then make sure the user is allowed to edit properties of this product.
$user->can_see_product($product->name)
|| ThrowUserError('product_access_denied', {product => $product->name});
$vars->{'product'} = $product; $vars->{'product'} = $product;
if (Param('useclassification')) { if (Param('useclassification')) {
...@@ -425,9 +428,13 @@ if ($action eq 'delete') { ...@@ -425,9 +428,13 @@ if ($action eq 'delete') {
# #
if ($action eq 'edit' || (!$action && $product_name)) { if ($action eq 'edit' || (!$action && $product_name)) {
# First make sure the product name is valid.
my $product = Bugzilla::Product::check_product($product_name); my $product = Bugzilla::Product::check_product($product_name);
# Then make sure the user is allowed to edit properties of this product.
$user->can_see_product($product->name)
|| ThrowUserError('product_access_denied', {product => $product->name});
if (Param('useclassification')) { if (Param('useclassification')) {
my $classification; my $classification;
if (!$classification_name) { if (!$classification_name) {
...@@ -476,8 +483,13 @@ if ($action eq 'edit' || (!$action && $product_name)) { ...@@ -476,8 +483,13 @@ if ($action eq 'edit' || (!$action && $product_name)) {
# #
if ($action eq 'updategroupcontrols') { if ($action eq 'updategroupcontrols') {
# First make sure the product name is valid.
my $product = Bugzilla::Product::check_product($product_name); my $product = Bugzilla::Product::check_product($product_name);
# Then make sure the user is allowed to edit properties of this product.
$user->can_see_product($product->name)
|| ThrowUserError('product_access_denied', {product => $product->name});
my @now_na = (); my @now_na = ();
my @now_mandatory = (); my @now_mandatory = ();
foreach my $f ($cgi->param()) { foreach my $f ($cgi->param()) {
...@@ -739,8 +751,13 @@ if ($action eq 'update') { ...@@ -739,8 +751,13 @@ if ($action eq 'update') {
my $checkvotes = 0; my $checkvotes = 0;
# First make sure the product name is valid.
my $product_old = Bugzilla::Product::check_product($product_old_name); my $product_old = Bugzilla::Product::check_product($product_old_name);
# Then make sure the user is allowed to edit properties of this product.
$user->can_see_product($product_old->name)
|| ThrowUserError('product_access_denied', {product => $product_old->name});
if (Param('useclassification')) { if (Param('useclassification')) {
my $classification; my $classification;
if (!$classification_name) { if (!$classification_name) {
...@@ -971,7 +988,13 @@ if ($action eq 'update') { ...@@ -971,7 +988,13 @@ if ($action eq 'update') {
# #
if ($action eq 'editgroupcontrols') { if ($action eq 'editgroupcontrols') {
# First make sure the product name is valid.
my $product = Bugzilla::Product::check_product($product_name); my $product = Bugzilla::Product::check_product($product_name);
# Then make sure the user is allowed to edit properties of this product.
$user->can_see_product($product->name)
|| ThrowUserError('product_access_denied', {product => $product->name});
# Display a group if it is either enabled or has bugs for this product. # Display a group if it is either enabled or has bugs for this product.
my $groups = $dbh->selectall_arrayref( my $groups = $dbh->selectall_arrayref(
'SELECT id, name, entry, membercontrol, othercontrol, canedit, 'SELECT id, name, entry, membercontrol, othercontrol, canedit,
......
editversions.cgi
View file @ e2f691c9
...@@ -69,20 +69,22 @@ my $showbugcounts = (defined $cgi->param('showbugcounts')); ...@@ -69,20 +69,22 @@ my $showbugcounts = (defined $cgi->param('showbugcounts'));
# #
unless ($product_name) { unless ($product_name) {
$vars->{'products'} = $user->get_selectable_products;
my @products = Bugzilla::Product::get_all_products();
$vars->{'showbugcounts'} = $showbugcounts; $vars->{'showbugcounts'} = $showbugcounts;
$vars->{'products'} = \@products;
$template->process("admin/versions/select-product.html.tmpl",
$vars)
|| ThrowTemplateError($template->error());
$template->process("admin/versions/select-product.html.tmpl", $vars)
|| ThrowTemplateError($template->error());
exit; exit;
} }
# First make sure the product name is valid.
my $product = Bugzilla::Product::check_product($product_name); my $product = Bugzilla::Product::check_product($product_name);
# Then make sure the user is allowed to edit properties of this product.
$user->can_see_product($product->name)
|| ThrowUserError('product_access_denied', {product => $product->name});
# #
# action='' -> Show nice list of versions # action='' -> Show nice list of versions
# #
......
template/en/default/global/user-error.html.tmpl
View file @ e2f691c9
...@@ -1015,6 +1015,10 @@ ...@@ -1015,6 +1015,10 @@
create the milestone '[% defaultmilestone FILTER html %]'</a> before create the milestone '[% defaultmilestone FILTER html %]'</a> before
it can be made the default milestone for product '[% product FILTER html %]'. it can be made the default milestone for product '[% product FILTER html %]'.
[% ELSIF error == "product_access_denied" %]
[% title = "Product Access Denied" %]
You are not allowed to edit properties of product '[% product FILTER html %]'.
[% ELSIF error == "product_blank_name" %] [% ELSIF error == "product_blank_name" %]
[% title = "Blank Product Name Not Allowed" %] [% title = "Blank Product Name Not Allowed" %]
You must enter a name for the new product. You must enter a name for the new product.
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment