Skip to content

Commit

Permalink
Bug 1009406 - A user with local editcomponents privs cannot update th…
Browse files Browse the repository at this point in the history 
…e inclusion and exclusion lists when the flagtype is already restricted to products the user cannot edit

r=dkl, a=simon
  • Loading branch information
Simon Green authored and Simon Green committed Oct 8, 2014
1 parent 1e5bdcd commit 8e3d2de
Showing 1 changed file with 17 additions and 2 deletions.
19 changes: 17 additions & 2 deletions Bugzilla/FlagType.pm
View file
Expand Up @@ -39,6 +39,7 @@ use Bugzilla::Util;
use Bugzilla::Group;

use Email::Address;
use List::MoreUtils qw(uniq);

use base qw(Bugzilla::Object);

Expand Down Expand Up @@ -369,8 +370,6 @@ sub set_clusions {
if (!$products{$prod_id}) {
$params->{id} = $prod_id;
$products{$prod_id} = Bugzilla::Product->check($params);
$user->in_group('editcomponents', $prod_id)
|| ThrowUserError('product_access_denied', $params);
}
$prod_name = $products{$prod_id}->name;

Expand All @@ -396,6 +395,22 @@ sub set_clusions {
$clusions{"$prod_name:$comp_name"} = "$prod_id:$comp_id";
$clusions_as_hash{$prod_id}->{$comp_id} = 1;
}

# Check the user has the editcomponent permission on products that are changing
if (! $user->in_group('editcomponents')) {
my $current_clusions = $self->$category;
my ($removed, $added)
= diff_arrays([ values %$current_clusions ], [ values %clusions ]);
my @changed_product_ids
= uniq map { substr($_, 0, index($_, ':')) } @$removed, @$added;
foreach my $product_id (@changed_product_ids) {
$user->in_group('editcomponents', $product_id)
|| ThrowUserError('product_access_denied',
{ name => $products{$product_id}->name });
}
}

# Set the changes
$self->{$category} = \%clusions;
$self->{"${category}_as_hash"} = \%clusions_as_hash;
$self->{"_update_$category"} = 1;
Expand Down

0 comments on commit 8e3d2de

Please sign in to comment.