summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorlpsolit%gmail.com <>2005-10-19 02:45:47 +0200
committerlpsolit%gmail.com <>2005-10-19 02:45:47 +0200
commit8d67e86a56de870d2a76f0bc5d0dfa53af664a73 (patch)
tree5406a0078d3d75838cc47fcf6004e37e1354abc1
parent59ef7920a7efaba7cf0e5b55eb85761b59c8aaa7 (diff)
downloadbugzilla-8d67e86a56de870d2a76f0bc5d0dfa53af664a73.tar.gz
bugzilla-8d67e86a56de870d2a76f0bc5d0dfa53af664a73.tar.xz
Bug 302936: Reject the requestee if he cannot access private attachments - Patch by Frédéric Buclin <LpSolit@gmail.com> r=jouni a=justdave
-rw-r--r--Bugzilla/Flag.pm5
-rw-r--r--Bugzilla/FlagType.pm3
-rwxr-xr-xattachment.cgi8
3 files changed, 11 insertions, 5 deletions
diff --git a/Bugzilla/Flag.pm b/Bugzilla/Flag.pm
index 34ded7dd2..54a8bea80 100644
--- a/Bugzilla/Flag.pm
+++ b/Bugzilla/Flag.pm
@@ -228,10 +228,13 @@ sub count {
=over
-=item C<validate($cgi, $bug_id)>
+=item C<validate($cgi, $bug_id, $attach_id)>
Validates fields containing flag modifications.
+If the attachment is new, it has no ID yet and $attach_id is set
+to -1 to force its check anyway.
+
=back
=cut
diff --git a/Bugzilla/FlagType.pm b/Bugzilla/FlagType.pm
index a7a32c5cc..950aeea9a 100644
--- a/Bugzilla/FlagType.pm
+++ b/Bugzilla/FlagType.pm
@@ -320,6 +320,9 @@ to extract flag type IDs from form field names by matching columns
whose name looks like "flag_type-nnn", where "nnn" is the ID,
and returning just the ID portion of matching field names.
+If the attachment is new, it has no ID yet and $attach_id is set
+to -1 to force its check anyway.
+
=back
=cut
diff --git a/attachment.cgi b/attachment.cgi
index 6670e6325..3aa1a68d6 100755
--- a/attachment.cgi
+++ b/attachment.cgi
@@ -937,11 +937,11 @@ sub insert
$vars->{'message'} = 'user_match_multiple';
}
- # Flag::validate() should not detect any reference to existing
- # flags when creating a new attachment. Setting the third param
- # to -1 will force this function to check this point.
+ # FlagType::validate() and Flag::validate() should not detect
+ # any reference to existing flags when creating a new attachment.
+ # Setting the third param to -1 will force this function to check this point.
Bugzilla::Flag::validate($cgi, $bugid, -1);
- Bugzilla::FlagType::validate($cgi, $bugid);
+ Bugzilla::FlagType::validate($cgi, $bugid, -1);
# Escape characters in strings that will be used in SQL statements.
my $sql_filename = SqlQuote($filename);