]> git.ipfire.org Git - thirdparty/bugzilla.git/blob - attachment.cgi
projects / thirdparty / bugzilla.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
add a new hook: template_after_create (#60)
[thirdparty/bugzilla.git] / attachment.cgi
1 #!/usr/bin/perl -T
2 # This Source Code Form is subject to the terms of the Mozilla Public
3 # License, v. 2.0. If a copy of the MPL was not distributed with this
4 # file, You can obtain one at http://mozilla.org/MPL/2.0/.
5 #
6 # This Source Code Form is "Incompatible With Secondary Licenses", as
7 # defined by the Mozilla Public License, v. 2.0.
8
9 use 5.10.1;
10 use strict;
11 use warnings;
12
13 use lib qw(. lib);
14
15 use Bugzilla;
16 use Bugzilla::BugMail;
17 use Bugzilla::Constants;
18 use Bugzilla::Error;
19 use Bugzilla::Flag;
20 use Bugzilla::FlagType;
21 use Bugzilla::User;
22 use Bugzilla::Util;
23 use Bugzilla::Bug;
24 use Bugzilla::Attachment;
25 use Bugzilla::Attachment::PatchReader;
26 use Bugzilla::Token;
27
28 use Encode qw(encode find_encoding);
29 use Encode::MIME::Header; # Required to alter Encode::Encoding{'MIME-Q'}.
30
31 # For most scripts we don't make $cgi and $template global variables. But
32 # when preparing Bugzilla for mod_perl, this script used these
33 # variables in so many subroutines that it was easier to just
34 # make them globals.
35 local our $cgi = Bugzilla->cgi;
36 local our $template = Bugzilla->template;
37 local our $vars = {};
38 local $Bugzilla::CGI::ALLOW_UNSAFE_RESPONSE = 1;
39
40 # All calls to this script should contain an "action" variable whose
41 # value determines what the user wants to do. The code below checks
42 # the value of that variable and runs the appropriate code. If none is
43 # supplied, we default to 'view'.
44
45 # Determine whether to use the action specified by the user or the default.
46 my $action = $cgi->param('action') || 'view';
47 my $format = $cgi->param('format') || '';
48
49 # You must use the appropriate urlbase/sslbase param when doing anything
50 # but viewing an attachment, or a raw diff.
51 if ($action ne 'view'
52 && (($action !~ /^(?:interdiff|diff)$/) || $format ne 'raw'))
53 {
54 do_ssl_redirect_if_required();
55 if ($cgi->url_is_attachment_base) {
56 $cgi->redirect_to_urlbase;
57 }
58 Bugzilla->login();
59 }
60
61 # When viewing an attachment, do not request credentials if we are on
62 # the alternate host. Let view() decide when to call Bugzilla->login.
63 if ($action eq "view")
64 {
65 view();
66 }
67 elsif ($action eq "interdiff")
68 {
69 interdiff();
70 }
71 elsif ($action eq "diff")
72 {
73 diff();
74 }
75 elsif ($action eq "viewall")
76 {
77 viewall();
78 }
79 elsif ($action eq "enter")
80 {
81 Bugzilla->login(LOGIN_REQUIRED);
82 enter();
83 }
84 elsif ($action eq "insert")
85 {
86 Bugzilla->login(LOGIN_REQUIRED);
87 insert();
88 }
89 elsif ($action eq "edit")
90 {
91 edit();
92 }
93 elsif ($action eq "update")
94 {
95 Bugzilla->login(LOGIN_REQUIRED);
96 update();
97 }
98 elsif ($action eq "delete") {
99 delete_attachment();
100 }
101 else
102 {
103 ThrowUserError('unknown_action', {action => $action});
104 }
105
106 exit;
107
108 ################################################################################
109 # Data Validation / Security Authorization
110 ################################################################################
111
112 # Validates an attachment ID. Optionally takes a parameter of a form
113 # variable name that contains the ID to be validated. If not specified,
114 # uses 'id'.
115 # If the second parameter is true, the attachment ID will be validated,
116 # however the current user's access to the attachment will not be checked.
117 # Will throw an error if 1) attachment ID is not a valid number,
118 # 2) attachment does not exist, or 3) user isn't allowed to access the
119 # attachment.
120 #
121 # Returns an attachment object.
122
123 sub validateID {
124 my($param, $dont_validate_access) = @_;
125 $param ||= 'id';
126
127 # If we're not doing interdiffs, check if id wasn't specified and
128 # prompt them with a page that allows them to choose an attachment.
129 # Happens when calling plain attachment.cgi from the urlbar directly
130 if ($param eq 'id' && !$cgi->param('id')) {
131 print $cgi->header();
132 $template->process("attachment/choose.html.tmpl", $vars) ||
133 ThrowTemplateError($template->error());
134 exit;
135 }
136
137 my $attach_id = $cgi->param($param);
138
139 # Validate the specified attachment id. detaint kills $attach_id if
140 # non-natural, so use the original value from $cgi in our exception
141 # message here.
142 detaint_natural($attach_id)
143 || ThrowUserError("invalid_attach_id",
144 { attach_id => scalar $cgi->param($param) });
145
146 # Make sure the attachment exists in the database.
147 my $attachment = new Bugzilla::Attachment({ id => $attach_id, cache => 1 })
148 || ThrowUserError("invalid_attach_id", { attach_id => $attach_id });
149
150 return $attachment if ($dont_validate_access || check_can_access($attachment));
151 }
152
153 # Make sure the current user has access to the specified attachment.
154 sub check_can_access {
155 my $attachment = shift;
156 my $user = Bugzilla->user;
157
158 # Make sure the user is authorized to access this attachment's bug.
159 Bugzilla::Bug->check({ id => $attachment->bug_id, cache => 1 });
160 if ($attachment->isprivate && $user->id != $attachment->attacher->id
161 && !$user->is_insider)
162 {
163 ThrowUserError('auth_failure', {action => 'access',
164 object => 'attachment',
165 attach_id => $attachment->id});
166 }
167 return 1;
168 }
169
170 # Determines if the attachment is public -- that is, if users who are
171 # not logged in have access to the attachment
172 sub attachmentIsPublic {
173 my $attachment = shift;
174
175 return 0 if Bugzilla->params->{'requirelogin'};
176 return 0 if $attachment->isprivate;
177
178 my $anon_user = new Bugzilla::User;
179 return $anon_user->can_see_bug($attachment->bug_id);
180 }
181
182 # Validates format of a diff/interdiff. Takes a list as an parameter, which
183 # defines the valid format values. Will throw an error if the format is not
184 # in the list. Returns either the user selected or default format.
185 sub validateFormat {
186 # receives a list of legal formats; first item is a default
187 my $format = $cgi->param('format') || $_[0];
188 if (not grep($_ eq $format, @_)) {
189 ThrowUserError("invalid_format", { format => $format, formats => \@_ });
190 }
191
192 return $format;
193 }
194
195 # Gets the attachment object(s) generated by validateID, while ensuring
196 # attachbase and token authentication is used when required.
197 sub get_attachment {
198 my @field_names = @_ ? @_ : qw(id);
199
200 my %attachments;
201
202 if (use_attachbase()) {
203 # Load each attachment, and ensure they are all from the same bug
204 my $bug_id = 0;
205 foreach my $field_name (@field_names) {
206 my $attachment = validateID($field_name, 1);
207 if (!$bug_id) {
208 $bug_id = $attachment->bug_id;
209 } elsif ($attachment->bug_id != $bug_id) {
210 ThrowUserError('attachment_bug_id_mismatch');
211 }
212 $attachments{$field_name} = $attachment;
213 }
214 my @args = map { $_ . '=' . $attachments{$_}->id } @field_names;
215 my $cgi_params = $cgi->canonicalise_query(@field_names, 't',
216 'Bugzilla_login', 'Bugzilla_password');
217 push(@args, $cgi_params) if $cgi_params;
218 my $path = 'attachment.cgi?' . join('&', @args);
219
220 # Make sure the attachment is served from the correct server.
221 if ($cgi->url_is_attachment_base($bug_id)) {
222 # No need to validate the token for public attachments. We cannot request
223 # credentials as we are on the alternate host.
224 if (!all_attachments_are_public(\%attachments)) {
225 my $token = $cgi->param('t');
226 my ($userid, undef, $token_data) = Bugzilla::Token::GetTokenData($token);
227 my %token_data = unpack_token_data($token_data);
228 my $valid_token = 1;
229 foreach my $field_name (@field_names) {
230 my $token_id = $token_data{$field_name};
231 if (!$token_id
232 || !detaint_natural($token_id)
233 || $attachments{$field_name}->id != $token_id)
234 {
235 $valid_token = 0;
236 last;
237 }
238 }
239 unless ($userid && $valid_token) {
240 # Not a valid token.
241 print $cgi->redirect('-location' => correct_urlbase() . $path);
242 exit;
243 }
244 # Change current user without creating cookies.
245 Bugzilla->set_user(new Bugzilla::User($userid));
246 # Tokens are single use only, delete it.
247 delete_token($token);
248 }
249 }
250 elsif ($cgi->url_is_attachment_base) {
251 # If we come here, this means that each bug has its own host
252 # for attachments, and that we are trying to view one attachment
253 # using another bug's host. That's not desired.
254 $cgi->redirect_to_urlbase;
255 }
256 else {
257 # We couldn't call Bugzilla->login earlier as we first had to
258 # make sure we were not going to request credentials on the
259 # alternate host.
260 Bugzilla->login();
261 my $attachbase = Bugzilla->params->{'attachment_base'};
262 # Replace %bugid% by the ID of the bug the attachment
263 # belongs to, if present.
264 $attachbase =~ s/\%bugid\%/$bug_id/;
265 if (all_attachments_are_public(\%attachments)) {
266 # No need for a token; redirect to attachment base.
267 print $cgi->redirect(-location => $attachbase . $path);
268 exit;
269 } else {
270 # Make sure the user can view the attachment.
271 foreach my $field_name (@field_names) {
272 check_can_access($attachments{$field_name});
273 }
274 # Create a token and redirect.
275 my $token = url_quote(issue_session_token(pack_token_data(\%attachments)));
276 print $cgi->redirect(-location => $attachbase . "$path&t=$token");
277 exit;
278 }
279 }
280 } else {
281 do_ssl_redirect_if_required();
282 # No alternate host is used. Request credentials if required.
283 Bugzilla->login();
284 foreach my $field_name (@field_names) {
285 $attachments{$field_name} = validateID($field_name);
286 }
287 }
288
289 return wantarray
290 ? map { $attachments{$_} } @field_names
291 : $attachments{$field_names[0]};
292 }
293
294 sub all_attachments_are_public {
295 my $attachments = shift;
296 foreach my $field_name (keys %$attachments) {
297 if (!attachmentIsPublic($attachments->{$field_name})) {
298 return 0;
299 }
300 }
301 return 1;
302 }
303
304 sub pack_token_data {
305 my $attachments = shift;
306 return join(' ', map { $_ . '=' . $attachments->{$_}->id } keys %$attachments);
307 }
308
309 sub unpack_token_data {
310 my @token_data = split(/ /, shift || '');
311 my %data;
312 foreach my $token (@token_data) {
313 my ($field_name, $attach_id) = split('=', $token);
314 $data{$field_name} = $attach_id;
315 }
316 return %data;
317 }
318
319 ################################################################################
320 # Functions
321 ################################################################################
322
323 # Display an attachment.
324 sub view {
325 my $attachment = get_attachment();
326
327 # At this point, Bugzilla->login has been called if it had to.
328 my $contenttype = $attachment->contenttype;
329 my $filename = $attachment->filename;
330
331 # Bug 111522: allow overriding content-type manually in the posted form
332 # params.
333 if (defined $cgi->param('content_type')) {
334 $contenttype = $attachment->_check_content_type($cgi->param('content_type'));
335 }
336
337 # Return the appropriate HTTP response headers.
338 $attachment->datasize || ThrowUserError("attachment_removed");
339
340 $filename =~ s/^.*[\/\\]//;
341 # escape quotes and backslashes in the filename, per RFCs 2045/822
342 $filename =~ s/\\/\\\\/g; # escape backslashes
343 $filename =~ s/"/\\"/g; # escape quotes
344
345 # Avoid line wrapping done by Encode, which we don't need for HTTP
346 # headers. See discussion in bug 328628 for details.
347 local $Encode::Encoding{'MIME-Q'}->{'bpl'} = 10000;
348 $filename = encode('MIME-Q', $filename);
349
350 my $disposition = Bugzilla->params->{'allow_attachment_display'} ? 'inline' : 'attachment';
351
352 # Don't send a charset header with attachments--they might not be UTF-8.
353 # However, we do allow people to explicitly specify a charset if they
354 # want.
355 if ($contenttype !~ /\bcharset=/i) {
356 # In order to prevent Apache from adding a charset, we have to send a
357 # charset that's a single space.
358 $cgi->charset(' ');
359 if (Bugzilla->feature('detect_charset') && $contenttype =~ /^text\//) {
360 my $encoding = detect_encoding($attachment->data);
361 if ($encoding) {
362 $cgi->charset(find_encoding($encoding)->mime_name);
363 }
364 }
365 }
366 print $cgi->header(-type=>"$contenttype; name=\"$filename\"",
367 -content_disposition=> "$disposition; filename=\"$filename\"",
368 -content_length => $attachment->datasize);
369 disable_utf8();
370 print $attachment->data;
371 }
372
373 sub interdiff {
374 # Retrieve and validate parameters
375 my $format = validateFormat('html', 'raw');
376 my($old_attachment, $new_attachment);
377 if ($format eq 'raw') {
378 ($old_attachment, $new_attachment) = get_attachment('oldid', 'newid');
379 } else {
380 $old_attachment = validateID('oldid');
381 $new_attachment = validateID('newid');
382 }
383
384 Bugzilla::Attachment::PatchReader::process_interdiff(
385 $old_attachment, $new_attachment, $format);
386 }
387
388 sub diff {
389 # Retrieve and validate parameters
390 my $format = validateFormat('html', 'raw');
391 my $attachment = $format eq 'raw' ? get_attachment() : validateID();
392
393 # If it is not a patch, view normally.
394 if (!$attachment->ispatch) {
395 view();
396 return;
397 }
398
399 Bugzilla::Attachment::PatchReader::process_diff($attachment, $format);
400 }
401
402 # Display all attachments for a given bug in a series of IFRAMEs within one
403 # HTML page.
404 sub viewall {
405 # Retrieve and validate parameters
406 my $bug = Bugzilla::Bug->check({ id => scalar $cgi->param('bugid'), cache => 1 });
407
408 my $attachments = Bugzilla::Attachment->get_attachments_by_bug($bug);
409 # Ignore deleted attachments.
410 @$attachments = grep { $_->datasize } @$attachments;
411
412 if ($cgi->param('hide_obsolete')) {
413 @$attachments = grep { !$_->isobsolete } @$attachments;
414 $vars->{'hide_obsolete'} = 1;
415 }
416
417 # Define the variables and functions that will be passed to the UI template.
418 $vars->{'bug'} = $bug;
419 $vars->{'attachments'} = $attachments;
420
421 print $cgi->header();
422
423 # Generate and return the UI (HTML page) from the appropriate template.
424 $template->process("attachment/show-multiple.html.tmpl", $vars)
425 || ThrowTemplateError($template->error());
426 }
427
428 # Display a form for entering a new attachment.
429 sub enter {
430 # Retrieve and validate parameters
431 my $bug = Bugzilla::Bug->check(scalar $cgi->param('bugid'));
432 my $bugid = $bug->id;
433 Bugzilla::Attachment->_check_bug($bug);
434 my $dbh = Bugzilla->dbh;
435 my $user = Bugzilla->user;
436
437 # Retrieve the attachments the user can edit from the database and write
438 # them into an array of hashes where each hash represents one attachment.
439
440 my ($can_edit, $not_private) = ('', '');
441 if (!$user->in_group('editbugs', $bug->product_id)) {
442 $can_edit = "AND submitter_id = " . $user->id;
443 }
444 if (!$user->is_insider) {
445 $not_private = "AND isprivate = 0";
446 }
447 my $attach_ids = $dbh->selectcol_arrayref(
448 "SELECT attach_id
449 FROM attachments
450 WHERE bug_id = ?
451 AND isobsolete = 0
452 $can_edit $not_private
453 ORDER BY attach_id",
454 undef, $bugid);
455
456 # Define the variables and functions that will be passed to the UI template.
457 $vars->{'bug'} = $bug;
458 $vars->{'attachments'} = Bugzilla::Attachment->new_from_list($attach_ids);
459
460 my $flag_types = Bugzilla::FlagType::match({
461 'target_type' => 'attachment',
462 'product_id' => $bug->product_id,
463 'component_id' => $bug->component_id
464 });
465 $vars->{'flag_types'} = $flag_types;
466 $vars->{'any_flags_requesteeble'} =
467 grep { $_->is_requestable && $_->is_requesteeble } @$flag_types;
468 $vars->{'token'} = issue_session_token('create_attachment');
469
470 print $cgi->header();
471
472 # Generate and return the UI (HTML page) from the appropriate template.
473 $template->process("attachment/create.html.tmpl", $vars)
474 || ThrowTemplateError($template->error());
475 }
476
477 # Insert a new attachment into the database.
478 sub insert {
479 my $dbh = Bugzilla->dbh;
480 my $user = Bugzilla->user;
481
482 $dbh->bz_start_transaction;
483
484 # Retrieve and validate parameters
485 my $bug = Bugzilla::Bug->check(scalar $cgi->param('bugid'));
486 my $bugid = $bug->id;
487 my ($timestamp) = $dbh->selectrow_array("SELECT NOW()");
488
489 # Detect if the user already used the same form to submit an attachment
490 my $token = trim($cgi->param('token'));
491 check_token_data($token, 'create_attachment', 'index.cgi');
492
493 # Check attachments the user tries to mark as obsolete.
494 my @obsolete_attachments;
495 if ($cgi->param('obsolete')) {
496 my @obsolete = $cgi->param('obsolete');
497 @obsolete_attachments = Bugzilla::Attachment->validate_obsolete($bug, \@obsolete);
498 }
499
500 # Must be called before create() as it may alter $cgi->param('ispatch').
501 my $content_type = Bugzilla::Attachment::get_content_type();
502
503 # Get the filehandle of the attachment.
504 my $data_fh = $cgi->upload('data');
505 my $attach_text = $cgi->param('attach_text');
506
507 my $attachment = Bugzilla::Attachment->create(
508 {bug => $bug,
509 creation_ts => $timestamp,
510 data => $attach_text || $data_fh,
511 description => scalar $cgi->param('description'),
512 filename => $attach_text ? "file_$bugid.txt" : $data_fh,
513 ispatch => scalar $cgi->param('ispatch'),
514 isprivate => scalar $cgi->param('isprivate'),
515 mimetype => $content_type,
516 });
517
518 # Delete the token used to create this attachment.
519 delete_token($token);
520
521 foreach my $obsolete_attachment (@obsolete_attachments) {
522 $obsolete_attachment->set_is_obsolete(1);
523 $obsolete_attachment->update($timestamp);
524 }
525
526 my ($flags, $new_flags) = Bugzilla::Flag->extract_flags_from_cgi(
527 $bug, $attachment, $vars, SKIP_REQUESTEE_ON_ERROR);
528 $attachment->set_flags($flags, $new_flags);
529
530 # Insert a comment about the new attachment into the database.
531 my $comment = $cgi->param('comment');
532 $comment = '' unless defined $comment;
533 $bug->add_comment($comment, { isprivate => $attachment->isprivate,
534 type => CMT_ATTACHMENT_CREATED,
535 extra_data => $attachment->id });
536
537 # Assign the bug to the user, if they are allowed to take it
538 my $owner = "";
539 if ($cgi->param('takebug') && $user->in_group('editbugs', $bug->product_id)) {
540 # When taking a bug, we have to follow the workflow.
541 my $bug_status = $cgi->param('bug_status') || '';
542 ($bug_status) = grep { $_->name eq $bug_status }
543 @{ $bug->status->can_change_to };
544
545 if ($bug_status && $bug_status->is_open
546 && ($bug_status->name ne 'UNCONFIRMED'
547 || $bug->product_obj->allows_unconfirmed))
548 {
549 $bug->set_bug_status($bug_status->name);
550 $bug->clear_resolution();
551 }
552 # Make sure the person we are taking the bug from gets mail.
553 $owner = $bug->assigned_to->login;
554 $bug->set_assigned_to($user);
555 }
556
557 $bug->add_cc($user) if $cgi->param('addselfcc');
558 $bug->update($timestamp);
559
560 # We have to update the attachment after updating the bug, to ensure new
561 # comments are available.
562 $attachment->update($timestamp);
563
564 $dbh->bz_commit_transaction;
565
566 # Define the variables and functions that will be passed to the UI template.
567 $vars->{'attachment'} = $attachment;
568 # We cannot reuse the $bug object as delta_ts has eventually been updated
569 # since the object was created.
570 $vars->{'bugs'} = [new Bugzilla::Bug($bugid)];
571 $vars->{'header_done'} = 1;
572 $vars->{'contenttypemethod'} = $cgi->param('contenttypemethod');
573
574 my $recipients = { 'changer' => $user, 'owner' => $owner };
575 $vars->{'sent_bugmail'} = Bugzilla::BugMail::Send($bugid, $recipients);
576
577 print $cgi->header();
578 # Generate and return the UI (HTML page) from the appropriate template.
579 $template->process("attachment/created.html.tmpl", $vars)
580 || ThrowTemplateError($template->error());
581 }
582
583 # Displays a form for editing attachment properties.
584 # Any user is allowed to access this page, unless the attachment
585 # is private and the user does not belong to the insider group.
586 # Validations are done later when the user submits changes.
587 sub edit {
588 my $attachment = validateID();
589
590 my $bugattachments =
591 Bugzilla::Attachment->get_attachments_by_bug($attachment->bug);
592
593 my $any_flags_requesteeble = grep { $_->is_requestable && $_->is_requesteeble }
594 @{ $attachment->flag_types };
595 # Useful in case a flagtype is no longer requestable but a requestee
596 # has been set before we turned off that bit.
597 $any_flags_requesteeble ||= grep { $_->requestee_id } @{ $attachment->flags };
598 $vars->{'any_flags_requesteeble'} = $any_flags_requesteeble;
599 $vars->{'attachment'} = $attachment;
600 $vars->{'attachments'} = $bugattachments;
601
602 print $cgi->header();
603
604 # Generate and return the UI (HTML page) from the appropriate template.
605 $template->process("attachment/edit.html.tmpl", $vars)
606 || ThrowTemplateError($template->error());
607 }
608
609 # Updates an attachment record. Only users with "editbugs" privileges,
610 # (or the original attachment's submitter) can edit the attachment.
611 # Users cannot edit the content of the attachment itself.
612 sub update {
613 my $user = Bugzilla->user;
614 my $dbh = Bugzilla->dbh;
615
616 # Start a transaction in preparation for updating the attachment.
617 $dbh->bz_start_transaction();
618
619 # Retrieve and validate parameters
620 my $attachment = validateID();
621 my $bug = $attachment->bug;
622 $attachment->_check_bug;
623 my $can_edit = $attachment->validate_can_edit;
624
625 if ($can_edit) {
626 $attachment->set_description(scalar $cgi->param('description'));
627 $attachment->set_is_patch(scalar $cgi->param('ispatch'));
628 $attachment->set_content_type(scalar $cgi->param('contenttypeentry'));
629 $attachment->set_is_obsolete(scalar $cgi->param('isobsolete'));
630 $attachment->set_is_private(scalar $cgi->param('isprivate'));
631 $attachment->set_filename(scalar $cgi->param('filename'));
632
633 # Now make sure the attachment has not been edited since we loaded the page.
634 my $delta_ts = $cgi->param('delta_ts');
635 my $modification_time = $attachment->modification_time;
636
637 if ($delta_ts && $delta_ts ne $modification_time) {
638 datetime_from($delta_ts)
639 or ThrowCodeError('invalid_timestamp', { timestamp => $delta_ts });
640 ($vars->{'operations'}) = $bug->get_activity($attachment->id, $delta_ts);
641
642 # If the modification date changed but there is no entry in
643 # the activity table, this means someone commented only.
644 # In this case, there is no reason to midair.
645 if (scalar(@{$vars->{'operations'}})) {
646 $cgi->param('delta_ts', $modification_time);
647 # The token contains the old modification_time. We need a new one.
648 $cgi->param('token', issue_hash_token([$attachment->id, $modification_time]));
649
650 $vars->{'attachment'} = $attachment;
651
652 print $cgi->header();
653 # Warn the user about the mid-air collision and ask them what to do.
654 $template->process("attachment/midair.html.tmpl", $vars)
655 || ThrowTemplateError($template->error());
656 exit;
657 }
658 }
659 }
660
661 # We couldn't do this check earlier as we first had to validate attachment ID
662 # and display the mid-air collision page if modification_time changed.
663 my $token = $cgi->param('token');
664 check_hash_token($token, [$attachment->id, $attachment->modification_time]);
665
666 # If the user submitted a comment while editing the attachment,
667 # add the comment to the bug. Do this after having validated isprivate!
668 my $comment = $cgi->param('comment');
669 if (defined $comment && trim($comment) ne '') {
670 $bug->add_comment($comment, { isprivate => $attachment->isprivate,
671 type => CMT_ATTACHMENT_UPDATED,
672 extra_data => $attachment->id });
673 }
674
675 $bug->add_cc($user) if $cgi->param('addselfcc');
676
677 my ($flags, $new_flags) =
678 Bugzilla::Flag->extract_flags_from_cgi($bug, $attachment, $vars);
679
680 if ($can_edit) {
681 $attachment->set_flags($flags, $new_flags);
682 }
683 # Requestees can set flags targetted to them, even if they cannot
684 # edit the attachment. Flag setters can edit their own flags too.
685 elsif (scalar @$flags) {
686 my %flag_list = map { $_->{id} => $_ } @$flags;
687 my $flag_objs = Bugzilla::Flag->new_from_list([keys %flag_list]);
688
689 my @editable_flags;
690 foreach my $flag_obj (@$flag_objs) {
691 if ($flag_obj->setter_id == $user->id
692 || ($flag_obj->requestee_id && $flag_obj->requestee_id == $user->id))
693 {
694 push(@editable_flags, $flag_list{$flag_obj->id});
695 }
696 }
697
698 if (scalar @editable_flags) {
699 $attachment->set_flags(\@editable_flags, []);
700 # Flag changes must be committed.
701 $can_edit = 1;
702 }
703 }
704
705 # Figure out when the changes were made.
706 my $timestamp = $dbh->selectrow_array('SELECT LOCALTIMESTAMP(0)');
707
708 # Commit the comment, if any.
709 # This has to happen before updating the attachment, to ensure new comments
710 # are available to $attachment->update.
711 $bug->update($timestamp);
712
713 if ($can_edit) {
714 my $changes = $attachment->update($timestamp);
715 # If there are changes, we updated delta_ts in the DB. We have to
716 # reflect this change in the bug object.
717 $bug->{delta_ts} = $timestamp if scalar(keys %$changes);
718 }
719
720 # Commit the transaction now that we are finished updating the database.
721 $dbh->bz_commit_transaction();
722
723 # Define the variables and functions that will be passed to the UI template.
724 $vars->{'attachment'} = $attachment;
725 $vars->{'bugs'} = [$bug];
726 $vars->{'header_done'} = 1;
727 $vars->{'sent_bugmail'} =
728 Bugzilla::BugMail::Send($bug->id, { 'changer' => $user });
729
730 print $cgi->header();
731
732 # Generate and return the UI (HTML page) from the appropriate template.
733 $template->process("attachment/updated.html.tmpl", $vars)
734 || ThrowTemplateError($template->error());
735 }
736
737 # Only administrators can delete attachments.
738 sub delete_attachment {
739 my $user = Bugzilla->login(LOGIN_REQUIRED);
740 my $dbh = Bugzilla->dbh;
741
742 print $cgi->header();
743
744 $user->in_group('admin')
745 || ThrowUserError('auth_failure', {group => 'admin',
746 action => 'delete',
747 object => 'attachment'});
748
749 Bugzilla->params->{'allow_attachment_deletion'}
750 || ThrowUserError('attachment_deletion_disabled');
751
752 # Make sure the administrator is allowed to edit this attachment.
753 my $attachment = validateID();
754 Bugzilla::Attachment->_check_bug($attachment->bug);
755
756 $attachment->datasize || ThrowUserError('attachment_removed');
757
758 # We don't want to let a malicious URL accidentally delete an attachment.
759 my $token = trim($cgi->param('token'));
760 if ($token) {
761 my ($creator_id, $date, $event) = Bugzilla::Token::GetTokenData($token);
762 unless ($creator_id
763 && ($creator_id == $user->id)
764 && ($event eq 'delete_attachment' . $attachment->id))
765 {
766 # The token is invalid.
767 ThrowUserError('token_does_not_exist');
768 }
769
770 my $bug = new Bugzilla::Bug($attachment->bug_id);
771
772 # The token is valid. Delete the content of the attachment.
773 my $msg;
774 $vars->{'attachment'} = $attachment;
775 $vars->{'reason'} = clean_text($cgi->param('reason') || '');
776
777 $template->process("attachment/delete_reason.txt.tmpl", $vars, \$msg)
778 || ThrowTemplateError($template->error());
779
780 # Paste the reason provided by the admin into a comment.
781 $bug->add_comment($msg);
782
783 $attachment->remove_from_db();
784
785 # Now delete the token.
786 delete_token($token);
787
788 # Insert the comment.
789 $bug->update();
790
791 # Required to display the bug the deleted attachment belongs to.
792 $vars->{'bugs'} = [$bug];
793 $vars->{'header_done'} = 1;
794
795 $vars->{'sent_bugmail'} =
796 Bugzilla::BugMail::Send($bug->id, { 'changer' => $user });
797
798 $template->process("attachment/updated.html.tmpl", $vars)
799 || ThrowTemplateError($template->error());
800 }
801 else {
802 # Create a token.
803 $token = issue_session_token('delete_attachment' . $attachment->id);
804
805 $vars->{'a'} = $attachment;
806 $vars->{'token'} = $token;
807
808 $template->process("attachment/confirm-delete.html.tmpl", $vars)
809 || ThrowTemplateError($template->error());
810 }
811 }
Mirror of https://github.com/bugzilla/bugzilla.git