From: lpsolit%gmail.com <>
Date: Sat, 1 Aug 2009 12:37:49 +0000 (+0000)
Subject: Bug 507389: [SECURITY] Users can see all products when editing bugs - Patch by FrÃ... 
X-Git-Tag: bugzilla-3.4.1~2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=0c264ec3efe970c1534b2df495efe900f7b274bb;p=thirdparty%2Fbugzilla.git

Bug 507389: [SECURITY] Users can see all products when editing bugs - Patch by Frédéric Buclin <LpSolit@gmail.com> r=mkanat a=LpSolit
---

diff --git a/t/008filter.t b/t/008filter.t
index 9a53ced93a..ec9e21f51c 100644
--- a/t/008filter.t
+++ b/t/008filter.t
@@ -211,7 +211,7 @@ sub directive_ok {
     return 1 if $directive =~ /^(time2str|url)\(/;
 
     # Safe Template Toolkit virtual methods
-    return 1 if $directive =~ /\.(length$|size$|push\(|delete\()/;
+    return 1 if $directive =~ /\.(length$|size$|push\(|unshift\(|delete\()/;
 
     # Special Template Toolkit loop variable
     return 1 if $directive =~ /^loop\.(index|count)$/;
diff --git a/template/en/default/bug/edit.html.tmpl b/template/en/default/bug/edit.html.tmpl
index de89f1b8e7..3c45a0813a 100644
--- a/template/en/default/bug/edit.html.tmpl
+++ b/template/en/default/bug/edit.html.tmpl
@@ -371,8 +371,16 @@
     [%#############%]
     
     <tr>
+       [% IF bug.check_can_change_field('product', 0, 1) %]
+         [% prod_list = user.get_enterable_products %]
+         [% IF NOT user.can_enter_product(bug.product) %]
+           [% prod_list.unshift(bug.product_obj) %]
+         [% END %]
+       [% END %]
+
        [% INCLUDE bug/field.html.tmpl
             bug = bug, field = select_fields.product,
+            override_legal_values = prod_list
             desc_url = 'describecomponents.cgi', value = bug.product
             editable = bug.check_can_change_field('product', 0, 1) %]
     </tr>
diff --git a/template/en/default/bug/field.html.tmpl b/template/en/default/bug/field.html.tmpl
index d02f9801ba..b7c45511fd 100644
--- a/template/en/default/bug/field.html.tmpl
+++ b/template/en/default/bug/field.html.tmpl
@@ -23,6 +23,7 @@
 [%# INTERFACE:
   #   field: a Bugzilla::Field object
   #   value: The value of the field for this bug.
+  #   override_legal_values (optional): The list of legal values, for select fields.
   #   editable: Whether the field should be displayed as an editable
   #             <input> or as just the plain text of its value.
   #   allow_dont_change: display the --do_not_change-- option for select fields.
@@ -130,7 +131,10 @@
               [% dontchange FILTER html %]
             </option>
           [% END %]
-          [% FOREACH legal_value = field.legal_values %]
+          [% IF NOT override_legal_values %]
+            [% override_legal_values = field.legal_values %]
+          [% END %]
+          [% FOREACH legal_value = override_legal_values %]
             [% SET control_value = legal_value.visibility_value %]
             [% SET control_field = field.value_field %]
             <option value="[% legal_value.name FILTER html %]"