494072 - editvalues.cgi lets you edit product names

Status: RESOLVED FIXED

(Bugzilla :: Administration, task)

Description

[Frédéric Buclin]

Product names should only be editable from editproducts.cgi. Moreover, editvalues.cgi doesn't call check_can_admin_product(). Products are not standard fields and should be excluded from all editvalues.cgi actions.

Comment 1

[Frédéric Buclin]

Max, do you think we should add an is_editable => 0|1 attribute to Bugzilla::Field::DEFAULT_FIELDS and let editvalues.cgi looks for {is_select => 1, is_editable => 1} or add a @black_list = ('product') to editvalues.cgi and exclude fields listed there?

Comment 2

[Max Kanat-Alexander]

(In reply to comment #1)
> Max, do you think we should add an is_editable => 0|1 attribute to
> Bugzilla::Field::DEFAULT_FIELDS and let editvalues.cgi looks for {is_select =>
> 1, is_editable => 1} or add a @black_list = ('product') to editvalues.cgi and
> exclude fields listed there?

  Hmm. Right now, I was thinking more that we'd add a block list for SELECT fields that shouldn't be edited by the interface.

Comment 3

[Frédéric Buclin]

Attachment: patch, v1

Comment 4

[Frédéric Buclin]

Comment on attachment 379088 [details] [diff] [review]
patch, v1

Asking Greg too as Max seems very busy.

Comment 5

[Max Kanat-Alexander]

Comment on attachment 379088 [details] [diff] [review]
patch, v1

Looks good to me. I trust your testing.

Comment 6

[Frédéric Buclin]

tip:

Checking in editvalues.cgi;
/cvsroot/mozilla/webtools/bugzilla/editvalues.cgi,v  <--  editvalues.cgi
new revision: 1.39; previous revision: 1.38
done

3.3.4:

Checking in editvalues.cgi;
/cvsroot/mozilla/webtools/bugzilla/editvalues.cgi,v  <--  editvalues.cgi
new revision: 1.38.2.1; previous revision: 1.38
done