diff options
author | Lukas Fleischer <lfleischer@archlinux.org> | 2015-05-22 14:44:24 +0200 |
---|---|---|
committer | Lukas Fleischer <lfleischer@archlinux.org> | 2015-05-22 17:09:26 +0200 |
commit | 0dcdc23a7f0babd1bc7d1bb31a2ff2b7602d5cdf (patch) | |
tree | 614a41925114b441c74d125b47a86feed683360e /web | |
parent | 2b909cb3f6e19d730cdd560fc1c5d11ddad431c1 (diff) | |
download | aur-0dcdc23a7f0babd1bc7d1bb31a2ff2b7602d5cdf.tar.gz aur-0dcdc23a7f0babd1bc7d1bb31a2ff2b7602d5cdf.tar.xz |
Fix the permission check in pkgbase_adopt()
Filter the affected package bases before closing any package requests.
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
Diffstat (limited to 'web')
-rw-r--r-- | web/lib/pkgbasefuncs.inc.php | 28 |
1 files changed, 18 insertions, 10 deletions
diff --git a/web/lib/pkgbasefuncs.inc.php b/web/lib/pkgbasefuncs.inc.php index 50cb47e0..d10b5ad5 100644 --- a/web/lib/pkgbasefuncs.inc.php +++ b/web/lib/pkgbasefuncs.inc.php @@ -579,7 +579,25 @@ function pkgbase_adopt ($base_ids, $action=true, $via) { } } + /* Verify package ownership. */ $base_ids = sanitize_ids($base_ids); + + $q = "SELECT ID FROM PackageBases "; + $q.= "WHERE ID IN (" . implode(",", $base_ids) . ") "; + + if ($action && !has_credential(CRED_PKGBASE_ADOPT)) { + /* Regular users may only adopt orphan packages. */ + $q.= "AND MaintainerUID IS NULL"; + } + if (!$action && !has_credential(CRED_PKGBASE_DISOWN)) { + /* Regular users may only disown their own packages. */ + $q.= "AND MaintainerUID = " . $uid; + } + + $result = $dbh->query($q); + $base_ids = $result->fetchAll(PDO::FETCH_COLUMN, 0); + + /* Error out if the list of remaining packages is empty. */ if (empty($base_ids)) { if ($action) { return array(false, __("You did not select any packages to adopt.")); @@ -618,16 +636,6 @@ function pkgbase_adopt ($base_ids, $action=true, $via) { $q.= "SET MaintainerUID = NULL "; } $q.= "WHERE ID IN (" . implode(",", $base_ids) . ") "; - - if ($action && !has_credential(CRED_PKGBASE_ADOPT)) { - /* Regular users may only adopt orphan packages. */ - $q.= "AND MaintainerUID IS NULL"; - } - if (!$action && !has_credential(CRED_PKGBASE_DISOWN)) { - /* Regular users may only disown their own packages. */ - $q.= "AND MaintainerUID = " . $uid; - } - $dbh->exec($q); if ($action) { |