Bug 1009406 - A user with local editcomponents privs cannot update the inclusion and exclusion lists when the flagtype is already restricted to products the user cannot edit
r=dkl, a=simon git-svn-id: svn://10.0.0.236/trunk@265613 18797224-902f-48f8-a5cc-f745e15eee43
This commit is contained in:
bzrmirror%bugzilla.org
@@ -1 +1 @@
|
||||
9167
|
||||
9168
|
||||
@@ -1 +1 @@
|
||||
caf21973f5ea0e1caf30165234e2b50ed753ebaa
|
||||
847191ac9f29dee98088203d2ac135b9d820b507
|
||||
@@ -41,6 +41,7 @@ use Bugzilla::Util;
|
||||
use Bugzilla::Group;
|
||||
|
||||
use Email::Address;
|
||||
use List::MoreUtils qw(uniq);
|
||||
|
||||
use parent qw(Bugzilla::Object);
|
||||
|
||||
@@ -379,8 +380,6 @@ sub set_clusions {
|
||||
if (!$products{$prod_id}) {
|
||||
$params->{id} = $prod_id;
|
||||
$products{$prod_id} = Bugzilla::Product->check($params);
|
||||
$user->in_group('editcomponents', $prod_id)
|
||||
|| ThrowUserError('product_access_denied', $params);
|
||||
}
|
||||
$prod_name = $products{$prod_id}->name;
|
||||
|
||||
@@ -406,6 +405,22 @@ sub set_clusions {
|
||||
$clusions{"$prod_name:$comp_name"} = "$prod_id:$comp_id";
|
||||
$clusions_as_hash{$prod_id}->{$comp_id} = 1;
|
||||
}
|
||||
|
||||
# Check the user has the editcomponent permission on products that are changing
|
||||
if (! $user->in_group('editcomponents')) {
|
||||
my $current_clusions = $self->$category;
|
||||
my ($removed, $added)
|
||||
= diff_arrays([ values %$current_clusions ], [ values %clusions ]);
|
||||
my @changed_product_ids
|
||||
= uniq map { substr($_, 0, index($_, ':')) } @$removed, @$added;
|
||||
foreach my $product_id (@changed_product_ids) {
|
||||
$user->in_group('editcomponents', $product_id)
|
||||
|| ThrowUserError('product_access_denied',
|
||||
{ name => $products{$product_id}->name });
|
||||
}
|
||||
}
|
||||
|
||||
# Set the changes
|
||||
$self->{$category} = \%clusions;
|
||||
$self->{"${category}_as_hash"} = \%clusions_as_hash;
|
||||
$self->{"_update_$category"} = 1;
|
||||
|
||||
Reference in New Issue
Block a user