diff options
author | lpsolit%gmail.com <> | 2005-10-19 02:45:47 +0200 |
---|---|---|
committer | lpsolit%gmail.com <> | 2005-10-19 02:45:47 +0200 |
commit | 8d67e86a56de870d2a76f0bc5d0dfa53af664a73 (patch) | |
tree | 5406a0078d3d75838cc47fcf6004e37e1354abc1 | |
parent | 59ef7920a7efaba7cf0e5b55eb85761b59c8aaa7 (diff) | |
download | bugzilla-8d67e86a56de870d2a76f0bc5d0dfa53af664a73.tar.gz bugzilla-8d67e86a56de870d2a76f0bc5d0dfa53af664a73.tar.xz |
Bug 302936: Reject the requestee if he cannot access private attachments - Patch by Frédéric Buclin <LpSolit@gmail.com> r=jouni a=justdave
-rw-r--r-- | Bugzilla/Flag.pm | 5 | ||||
-rw-r--r-- | Bugzilla/FlagType.pm | 3 | ||||
-rwxr-xr-x | attachment.cgi | 8 |
3 files changed, 11 insertions, 5 deletions
diff --git a/Bugzilla/Flag.pm b/Bugzilla/Flag.pm index 34ded7dd2..54a8bea80 100644 --- a/Bugzilla/Flag.pm +++ b/Bugzilla/Flag.pm @@ -228,10 +228,13 @@ sub count { =over -=item C<validate($cgi, $bug_id)> +=item C<validate($cgi, $bug_id, $attach_id)> Validates fields containing flag modifications. +If the attachment is new, it has no ID yet and $attach_id is set +to -1 to force its check anyway. + =back =cut diff --git a/Bugzilla/FlagType.pm b/Bugzilla/FlagType.pm index a7a32c5cc..950aeea9a 100644 --- a/Bugzilla/FlagType.pm +++ b/Bugzilla/FlagType.pm @@ -320,6 +320,9 @@ to extract flag type IDs from form field names by matching columns whose name looks like "flag_type-nnn", where "nnn" is the ID, and returning just the ID portion of matching field names. +If the attachment is new, it has no ID yet and $attach_id is set +to -1 to force its check anyway. + =back =cut diff --git a/attachment.cgi b/attachment.cgi index 6670e6325..3aa1a68d6 100755 --- a/attachment.cgi +++ b/attachment.cgi @@ -937,11 +937,11 @@ sub insert $vars->{'message'} = 'user_match_multiple'; } - # Flag::validate() should not detect any reference to existing - # flags when creating a new attachment. Setting the third param - # to -1 will force this function to check this point. + # FlagType::validate() and Flag::validate() should not detect + # any reference to existing flags when creating a new attachment. + # Setting the third param to -1 will force this function to check this point. Bugzilla::Flag::validate($cgi, $bugid, -1); - Bugzilla::FlagType::validate($cgi, $bugid); + Bugzilla::FlagType::validate($cgi, $bugid, -1); # Escape characters in strings that will be used in SQL statements. my $sql_filename = SqlQuote($filename); |