Bug 494072: editvalues.cgi lets you edit product names - Patch by FrÃ©dÃ©ric Buclin...

author lpsolit%gmail.com <>

Wed, 3 Jun 2009 10:53:22 +0000 (10:53 +0000)

committer lpsolit%gmail.com <>

Wed, 3 Jun 2009 10:53:22 +0000 (10:53 +0000)
author lpsolit%gmail.com <>
Wed, 3 Jun 2009 10:53:22 +0000 (10:53 +0000)
committer lpsolit%gmail.com <>
Wed, 3 Jun 2009 10:53:22 +0000 (10:53 +0000)
diff --git a/editvalues.cgi b/editvalues.cgi

index 5b82cee01f11f0ec0fe5976dfad3bf2ae4bfd4af..3c553c8d1a2ae51907757a5fc68fe5522db6a3bf 100755 (executable)
--- a/editvalues.cgi
+++ b/editvalues.cgi
@@ -71,11 +71,16 @@ Bugzilla->user->in_group('admin') ||
  my $action = trim($cgi->param('action')  || '');
  my $token  = $cgi->param('token');
  
+# Fields listed here must not be edited from this interface.
+my @non_editable_fields = qw(product);
+my %block_list = map { $_ => 1 } @non_editable_fields;
+
  #
  # field = '' -> Show nice list of fields
  #
  if (!$cgi->param('field')) {
-    my @field_list = Bugzilla->get_fields({ is_select => 1 });
+    my @field_list = grep { !$block_list{$_->name} }
+                       Bugzilla->get_fields({ is_select => 1 });
  
      $vars->{'fields'} = \@field_list;
      $template->process("admin/fieldvalues/select-field.html.tmpl", $vars)
@@ -85,7 +90,7 @@ if (!$cgi->param('field')) {
  
  # At this point, the field must be defined.
  my $field = Bugzilla::Field->check($cgi->param('field'));
-if (!$field->is_select) {
+if (!$field->is_select || $block_list{$field->name}) {
      ThrowUserError('fieldname_invalid', { field => $field });
  }
  $vars->{'field'} = $field;
author	lpsolit%gmail.com <>
	Wed, 3 Jun 2009 10:53:22 +0000 (10:53 +0000)
committer	lpsolit%gmail.com <>
	Wed, 3 Jun 2009 10:53:22 +0000 (10:53 +0000)