summaryrefslogtreecommitdiffstats
path: root/web
diff options
context:
space:
mode:
authorLukas Fleischer <lfleischer@archlinux.org>2015-05-22 14:44:24 +0200
committerLukas Fleischer <lfleischer@archlinux.org>2015-05-22 17:09:26 +0200
commit0dcdc23a7f0babd1bc7d1bb31a2ff2b7602d5cdf (patch)
tree614a41925114b441c74d125b47a86feed683360e /web
parent2b909cb3f6e19d730cdd560fc1c5d11ddad431c1 (diff)
downloadaur-0dcdc23a7f0babd1bc7d1bb31a2ff2b7602d5cdf.tar.gz
aur-0dcdc23a7f0babd1bc7d1bb31a2ff2b7602d5cdf.tar.xz
Fix the permission check in pkgbase_adopt()
Filter the affected package bases before closing any package requests. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
Diffstat (limited to 'web')
-rw-r--r--web/lib/pkgbasefuncs.inc.php28
1 files changed, 18 insertions, 10 deletions
diff --git a/web/lib/pkgbasefuncs.inc.php b/web/lib/pkgbasefuncs.inc.php
index 50cb47e0..d10b5ad5 100644
--- a/web/lib/pkgbasefuncs.inc.php
+++ b/web/lib/pkgbasefuncs.inc.php
@@ -579,7 +579,25 @@ function pkgbase_adopt ($base_ids, $action=true, $via) {
}
}
+ /* Verify package ownership. */
$base_ids = sanitize_ids($base_ids);
+
+ $q = "SELECT ID FROM PackageBases ";
+ $q.= "WHERE ID IN (" . implode(",", $base_ids) . ") ";
+
+ if ($action && !has_credential(CRED_PKGBASE_ADOPT)) {
+ /* Regular users may only adopt orphan packages. */
+ $q.= "AND MaintainerUID IS NULL";
+ }
+ if (!$action && !has_credential(CRED_PKGBASE_DISOWN)) {
+ /* Regular users may only disown their own packages. */
+ $q.= "AND MaintainerUID = " . $uid;
+ }
+
+ $result = $dbh->query($q);
+ $base_ids = $result->fetchAll(PDO::FETCH_COLUMN, 0);
+
+ /* Error out if the list of remaining packages is empty. */
if (empty($base_ids)) {
if ($action) {
return array(false, __("You did not select any packages to adopt."));
@@ -618,16 +636,6 @@ function pkgbase_adopt ($base_ids, $action=true, $via) {
$q.= "SET MaintainerUID = NULL ";
}
$q.= "WHERE ID IN (" . implode(",", $base_ids) . ") ";
-
- if ($action && !has_credential(CRED_PKGBASE_ADOPT)) {
- /* Regular users may only adopt orphan packages. */
- $q.= "AND MaintainerUID IS NULL";
- }
- if (!$action && !has_credential(CRED_PKGBASE_DISOWN)) {
- /* Regular users may only disown their own packages. */
- $q.= "AND MaintainerUID = " . $uid;
- }
-
$dbh->exec($q);
if ($action) {