From: bugreport%peshkin.net <> Date: Wed, 11 Dec 2002 08:41:19 +0000 (+0000) Subject: Bug 184256 Canedit group_control_map entry does not prevent making attachments X-Git-Tag: bugzilla-2.17.2~2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=6bd37cce67502e54410dde53f615b5d9b860a4be;p=thirdparty%2Fbugzilla.git Bug 184256 Canedit group_control_map entry does not prevent making attachments r=bbaetz a=justdave --- diff --git a/Attachment.pm b/Attachment.pm index 27d7fa2cab..322a3b2bab 100644 --- a/Attachment.pm +++ b/Attachment.pm @@ -65,6 +65,11 @@ sub query my ($bugid) = @_; my $in_editbugs = &::UserInGroup("editbugs"); + &::SendSQL("SELECT product_id + FROM bugs + WHERE bug_id = $bugid"); + my $productid = &::FetchOneColumn(); + my $caneditproduct = &::CanEditProductId($productid); # Retrieve a list of attachments for this bug and write them into an array # of hashes in which each hash represents a single attachment. @@ -88,8 +93,8 @@ sub query # ie the are the submitter, or they have canedit. # Also show the link if the user is not logged in - in that cae, # They'll be prompted later - $a{'canedit'} = ($::userid == 0 || $submitter_id == $::userid || - $in_editbugs); + $a{'canedit'} = ($::userid == 0 || (($submitter_id == $::userid || + $in_editbugs) && $caneditproduct)); push @attachments, \%a; } diff --git a/Bugzilla/Attachment.pm b/Bugzilla/Attachment.pm index 27d7fa2cab..322a3b2bab 100644 --- a/Bugzilla/Attachment.pm +++ b/Bugzilla/Attachment.pm @@ -65,6 +65,11 @@ sub query my ($bugid) = @_; my $in_editbugs = &::UserInGroup("editbugs"); + &::SendSQL("SELECT product_id + FROM bugs + WHERE bug_id = $bugid"); + my $productid = &::FetchOneColumn(); + my $caneditproduct = &::CanEditProductId($productid); # Retrieve a list of attachments for this bug and write them into an array # of hashes in which each hash represents a single attachment. @@ -88,8 +93,8 @@ sub query # ie the are the submitter, or they have canedit. # Also show the link if the user is not logged in - in that cae, # They'll be prompted later - $a{'canedit'} = ($::userid == 0 || $submitter_id == $::userid || - $in_editbugs); + $a{'canedit'} = ($::userid == 0 || (($submitter_id == $::userid || + $in_editbugs) && $caneditproduct)); push @attachments, \%a; } diff --git a/attachment.cgi b/attachment.cgi index 27c2c107c1..5c3ce09ace 100755 --- a/attachment.cgi +++ b/attachment.cgi @@ -77,12 +77,14 @@ elsif ($action eq "enter") { confirm_login(); ValidateBugID($::FORM{'bugid'}); + validateCanChangeBug($::FORM{'bugid'}); enter(); } elsif ($action eq "insert") { confirm_login(); ValidateBugID($::FORM{'bugid'}); + validateCanChangeBug($::FORM{'bugid'}); ValidateComment($::FORM{'comment'}); validateFilename(); validateIsPatch(); @@ -105,6 +107,7 @@ elsif ($action eq "update") ValidateComment($::FORM{'comment'}); validateID(); validateCanEdit($::FORM{'id'}); + validateCanChangeAttachment($::FORM{'id'}); validateDescription(); validateIsPatch(); validateContentType() unless $::FORM{'ispatch'}; @@ -171,6 +174,29 @@ sub validateCanEdit || ThrowUserError("illegal_attachment_edit"); } +sub validateCanChangeAttachment +{ + my ($attachid) = @_; + SendSQL("SELECT product_id + FROM attachments, bugs + WHERE attach_id = $attachid + AND bugs.bug_id = attachments.bug_id"); + my $productid = FetchOneColumn(); + CanEditProductId($productid) + || ThrowUserError("illegal_attachment_edit"); +} + +sub validateCanChangeBug +{ + my ($bugid) = @_; + SendSQL("SELECT product_id + FROM bugs + WHERE bug_id = $bugid"); + my $productid = FetchOneColumn(); + CanEditProductId($productid) + || ThrowUserError("illegal_attachment_edit"); +} + sub validateDescription { $::FORM{'description'}