summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorbugreport%peshkin.net <>2002-12-11 09:41:19 +0100
committerbugreport%peshkin.net <>2002-12-11 09:41:19 +0100
commit6bd37cce67502e54410dde53f615b5d9b860a4be (patch)
treef924986ee994fc7dd68d91f990de8273c806a5dd
parentc457b4c49d1ac10b91db246235e65292798f33d6 (diff)
downloadbugzilla-6bd37cce67502e54410dde53f615b5d9b860a4be.tar.gz
bugzilla-6bd37cce67502e54410dde53f615b5d9b860a4be.tar.xz
Bug 184256 Canedit group_control_map entry does not prevent making attachments
r=bbaetz a=justdave
-rw-r--r--Attachment.pm9
-rw-r--r--Bugzilla/Attachment.pm9
-rwxr-xr-xattachment.cgi26
3 files changed, 40 insertions, 4 deletions
diff --git a/Attachment.pm b/Attachment.pm
index 27d7fa2ca..322a3b2ba 100644
--- a/Attachment.pm
+++ b/Attachment.pm
@@ -65,6 +65,11 @@ sub query
my ($bugid) = @_;
my $in_editbugs = &::UserInGroup("editbugs");
+ &::SendSQL("SELECT product_id
+ FROM bugs
+ WHERE bug_id = $bugid");
+ my $productid = &::FetchOneColumn();
+ my $caneditproduct = &::CanEditProductId($productid);
# Retrieve a list of attachments for this bug and write them into an array
# of hashes in which each hash represents a single attachment.
@@ -88,8 +93,8 @@ sub query
# ie the are the submitter, or they have canedit.
# Also show the link if the user is not logged in - in that cae,
# They'll be prompted later
- $a{'canedit'} = ($::userid == 0 || $submitter_id == $::userid ||
- $in_editbugs);
+ $a{'canedit'} = ($::userid == 0 || (($submitter_id == $::userid ||
+ $in_editbugs) && $caneditproduct));
push @attachments, \%a;
}
diff --git a/Bugzilla/Attachment.pm b/Bugzilla/Attachment.pm
index 27d7fa2ca..322a3b2ba 100644
--- a/Bugzilla/Attachment.pm
+++ b/Bugzilla/Attachment.pm
@@ -65,6 +65,11 @@ sub query
my ($bugid) = @_;
my $in_editbugs = &::UserInGroup("editbugs");
+ &::SendSQL("SELECT product_id
+ FROM bugs
+ WHERE bug_id = $bugid");
+ my $productid = &::FetchOneColumn();
+ my $caneditproduct = &::CanEditProductId($productid);
# Retrieve a list of attachments for this bug and write them into an array
# of hashes in which each hash represents a single attachment.
@@ -88,8 +93,8 @@ sub query
# ie the are the submitter, or they have canedit.
# Also show the link if the user is not logged in - in that cae,
# They'll be prompted later
- $a{'canedit'} = ($::userid == 0 || $submitter_id == $::userid ||
- $in_editbugs);
+ $a{'canedit'} = ($::userid == 0 || (($submitter_id == $::userid ||
+ $in_editbugs) && $caneditproduct));
push @attachments, \%a;
}
diff --git a/attachment.cgi b/attachment.cgi
index 27c2c107c..5c3ce09ac 100755
--- a/attachment.cgi
+++ b/attachment.cgi
@@ -77,12 +77,14 @@ elsif ($action eq "enter")
{
confirm_login();
ValidateBugID($::FORM{'bugid'});
+ validateCanChangeBug($::FORM{'bugid'});
enter();
}
elsif ($action eq "insert")
{
confirm_login();
ValidateBugID($::FORM{'bugid'});
+ validateCanChangeBug($::FORM{'bugid'});
ValidateComment($::FORM{'comment'});
validateFilename();
validateIsPatch();
@@ -105,6 +107,7 @@ elsif ($action eq "update")
ValidateComment($::FORM{'comment'});
validateID();
validateCanEdit($::FORM{'id'});
+ validateCanChangeAttachment($::FORM{'id'});
validateDescription();
validateIsPatch();
validateContentType() unless $::FORM{'ispatch'};
@@ -171,6 +174,29 @@ sub validateCanEdit
|| ThrowUserError("illegal_attachment_edit");
}
+sub validateCanChangeAttachment
+{
+ my ($attachid) = @_;
+ SendSQL("SELECT product_id
+ FROM attachments, bugs
+ WHERE attach_id = $attachid
+ AND bugs.bug_id = attachments.bug_id");
+ my $productid = FetchOneColumn();
+ CanEditProductId($productid)
+ || ThrowUserError("illegal_attachment_edit");
+}
+
+sub validateCanChangeBug
+{
+ my ($bugid) = @_;
+ SendSQL("SELECT product_id
+ FROM bugs
+ WHERE bug_id = $bugid");
+ my $productid = FetchOneColumn();
+ CanEditProductId($productid)
+ || ThrowUserError("illegal_attachment_edit");
+}
+
sub validateDescription
{
$::FORM{'description'}