From: Simon Green Date: Wed, 8 Oct 2014 02:58:13 +0000 (+1000) Subject: Bug 1009406 - A user with local editcomponents privs cannot update the inclusion... X-Git-Tag: bugzilla-5.1~11 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=847191ac9f29dee98088203d2ac135b9d820b507;p=thirdparty%2Fbugzilla.git Bug 1009406 - A user with local editcomponents privs cannot update the inclusion and exclusion lists when the flagtype is already restricted to products the user cannot edit r=dkl, a=simon --- diff --git a/Bugzilla/FlagType.pm b/Bugzilla/FlagType.pm index 5cbfdd9796..72b3f64c1f 100644 --- a/Bugzilla/FlagType.pm +++ b/Bugzilla/FlagType.pm @@ -41,6 +41,7 @@ use Bugzilla::Util; use Bugzilla::Group; use Email::Address; +use List::MoreUtils qw(uniq); use parent qw(Bugzilla::Object); @@ -379,8 +380,6 @@ sub set_clusions { if (!$products{$prod_id}) { $params->{id} = $prod_id; $products{$prod_id} = Bugzilla::Product->check($params); - $user->in_group('editcomponents', $prod_id) - || ThrowUserError('product_access_denied', $params); } $prod_name = $products{$prod_id}->name; @@ -406,6 +405,22 @@ sub set_clusions { $clusions{"$prod_name:$comp_name"} = "$prod_id:$comp_id"; $clusions_as_hash{$prod_id}->{$comp_id} = 1; } + + # Check the user has the editcomponent permission on products that are changing + if (! $user->in_group('editcomponents')) { + my $current_clusions = $self->$category; + my ($removed, $added) + = diff_arrays([ values %$current_clusions ], [ values %clusions ]); + my @changed_product_ids + = uniq map { substr($_, 0, index($_, ':')) } @$removed, @$added; + foreach my $product_id (@changed_product_ids) { + $user->in_group('editcomponents', $product_id) + || ThrowUserError('product_access_denied', + { name => $products{$product_id}->name }); + } + } + + # Set the changes $self->{$category} = \%clusions; $self->{"${category}_as_hash"} = \%clusions_as_hash; $self->{"_update_$category"} = 1;