From: Frédéric Buclin Date: Sat, 17 Sep 2011 11:43:43 +0000 (+0200) Subject: Bug 686227: Users with editcomponents privs must be able to add products they cannot... X-Git-Tag: bugzilla-4.3.1~248 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=318295325c43fcc8fd3253c46525c3ce57df1329;p=thirdparty%2Fbugzilla.git Bug 686227: Users with editcomponents privs must be able to add products they cannot see to the inclusion and exclusion lists when creating or editing a flagtype r=dkl a=LpSolit --- diff --git a/Bugzilla/FlagType.pm b/Bugzilla/FlagType.pm index bd3f7b0543..7f37dd8842 100644 --- a/Bugzilla/FlagType.pm +++ b/Bugzilla/FlagType.pm @@ -357,7 +357,15 @@ sub set_request_group { $_[0]->set('request_group_id', $_[1]); } sub set_clusions { my ($self, $list) = @_; + my $user = Bugzilla->user; my %products; + my $params = {}; + + # If the user has editcomponents privs, then we only need to make sure + # that the product exists. + if ($user->in_group('editcomponents')) { + $params->{allow_inaccessible} = 1; + } foreach my $category (keys %$list) { my %clusions; @@ -369,8 +377,16 @@ sub set_clusions { my $comp_name = '__Any__'; # Does the product exist? if ($prod_id) { - $products{$prod_id} ||= Bugzilla::Product->check({ id => $prod_id }); - detaint_natural($prod_id); + detaint_natural($prod_id) + || ThrowCodeError('param_must_be_numeric', + { function => 'Bugzilla::FlagType::set_clusions' }); + + if (!$products{$prod_id}) { + $params->{id} = $prod_id; + $products{$prod_id} = Bugzilla::Product->check($params); + $user->in_group('editcomponents', $prod_id) + || ThrowUserError('product_access_denied', $params); + } $prod_name = $products{$prod_id}->name; # Does the component belong to this product?