Bug 351337: Users can add bugs to groups that they are members of, even if the group...

diff --git a/post_bug.cgi b/post_bug.cgi
index 521354994086d84e0ec2f2dd1fe18a52be0e39ef..dd6d020d82412cbb6dce1d97a8c341c844c110ed 100755 (executable)
--- a/post_bug.cgi
+++ b/post_bug.cgi
@@ -364,14 +364,24 @@ foreach my $b (grep(/^bit-\d*$/, $cgi->param())) {
             $vars->{'bit'} = $v;
             ThrowCodeError("inactive_group");
         }
-        my ($permit) = $user->in_group_id($v);
-        if (!$permit) {
-            SendSQL("SELECT othercontrol FROM group_control_map
-                     WHERE group_id = $v AND product_id = $product_id");
-            my ($othercontrol) = FetchSQLData();
-            $permit = (($othercontrol == CONTROLMAPSHOWN)
-                       || ($othercontrol == CONTROLMAPDEFAULT));
-        }
+        my ($membercontrol, $othercontrol) =
+            $dbh->selectrow_array('SELECT membercontrol, othercontrol
+                                     FROM group_control_map
+                                    WHERE group_id = ? AND product_id = ?',
+                                    undef, ($v, $product_id));
+
+        # If these values are undefined or zero, then this group
+        # cannot be a valid one for this product.
+        next unless ($membercontrol || $othercontrol);
+
+        my $permit = ($user->in_group_id($v)
+                      && ($membercontrol == CONTROLMAPSHOWN
+                          || $membercontrol == CONTROLMAPDEFAULT))
+                     ||
+                       (!$user->in_group_id($v)
+                        && ($othercontrol == CONTROLMAPSHOWN
+                            || $othercontrol == CONTROLMAPDEFAULT));
+
         if ($permit) {
             push(@groupstoadd, $v)
         }