($vars->{'operations'}) =
Bugzilla::Bug::GetBugActivity($bug->id, $attachment->id, $cgi->param('delta_ts'));
+ # The token contains the old modification_time. We need a new one.
+ $cgi->param('token', issue_hash_token([$attachment->id, $attachment->modification_time]));
+
# If the modification date changed but there is no entry in
# the activity table, this means someone commented only.
# In this case, there is no reason to midair.
exit;
}
}
+
+ # We couldn't do this check earlier as we first had to validate attachment ID
+ # and display the mid-air collision page if modification_time changed.
+ my $token = $cgi->param('token');
+ check_hash_token($token, [$attachment->id, $attachment->modification_time]);
+
# If the submitter of the attachment is not in the insidergroup,
# be sure that he cannot overwrite the private bit.
# This check must be done before calling Bugzilla::Flag*::validate(),
<input type="hidden" name="action" value="update">
<input type="hidden" name="contenttypemethod" value="manual">
<input type="hidden" name="delta_ts" value="[% attachment.modification_time FILTER html %]">
+ [% IF user.id %]
+ <input type="hidden" name="token" value="[% issue_hash_token([attachment.id, attachment.modification_time]) FILTER html %]">
+ [% END %]
<table class="attachment_info" width="100%">
<type>[% a.contenttype FILTER xml %]</type>
<size>[% a.datasize FILTER xml %]</size>
<attacher>[% a.attacher.email FILTER xml %]</attacher>
- [% IF displayfields.attachmentdata %]
- <data encoding="base64">[% a.data FILTER base64 %]</data>
- [% END %]
+ [%# This is here so automated clients can still use attachment.cgi %]
+ [% IF displayfields.token && user.id %]
+ <token>[% issue_hash_token([a.id, a.modification_time]) FILTER xml %]</token>
+ [% END %]
+ [% IF displayfields.attachmentdata %]
+ <data encoding="base64">[% a.data FILTER base64 %]</data>
+ [% END %]
[% FOREACH flag = a.flags %]
<flag name="[% flag.type.name FILTER xml %]"
projects / thirdparty / bugzilla.git / commitdiff
