Bug 686227: Users with editcomponents privs must be able to add products they cannot...

r=dkl a=LpSolit

diff --git a/Bugzilla/FlagType.pm b/Bugzilla/FlagType.pm
index bd3f7b05439510390cab3db7d48af7ba1ccfb06a..7f37dd884218e5c16c70f848c5f8f1908b1c9f06 100644 (file)
--- a/Bugzilla/FlagType.pm
+++ b/Bugzilla/FlagType.pm
@@ -357,7 +357,15 @@ sub set_request_group    { $_[0]->set('request_group_id', $_[1]); }
 
 sub set_clusions {
     my ($self, $list) = @_;
+    my $user = Bugzilla->user;
     my %products;
+    my $params = {};
+
+    # If the user has editcomponents privs, then we only need to make sure
+    # that the product exists.
+    if ($user->in_group('editcomponents')) {
+        $params->{allow_inaccessible} = 1;
+    }
 
     foreach my $category (keys %$list) {
         my %clusions;
@@ -369,8 +377,16 @@ sub set_clusions {
             my $comp_name = '__Any__';
             # Does the product exist?
             if ($prod_id) {
-                $products{$prod_id} ||= Bugzilla::Product->check({ id => $prod_id });
-                detaint_natural($prod_id);
+                detaint_natural($prod_id)
+                  || ThrowCodeError('param_must_be_numeric',
+                                    { function => 'Bugzilla::FlagType::set_clusions' });
+
+                if (!$products{$prod_id}) {
+                    $params->{id} = $prod_id;
+                    $products{$prod_id} = Bugzilla::Product->check($params);
+                    $user->in_group('editcomponents', $prod_id)
+                      || ThrowUserError('product_access_denied', $params);
+                }
                 $prod_name = $products{$prod_id}->name;
 
                 # Does the component belong to this product?