Bug 140999: Users without edit permissions for an attachment should still be able to make comments - Patch by Frédéric Buclin <LpSolit@gmail.com> a=LpSolit

1 files changed, 6 insertions, 8 deletions

diff --git a/Bugzilla/Attachment.pm b/Bugzilla/Attachment.pm
index b1aecd5b0..42372393c 100644
--- a/Bugzilla/Attachment.pm
+++ b/Bugzilla/Attachment.pm
@@ -720,7 +720,7 @@ Description: validates if the user is allowed to view and edit the attachment.
 Params:      $attachment - the attachment object being edited.
              $product_id - the product ID the attachment belongs to.
 
-Returns:     1 on success. Else an error is thrown.
+Returns:     1 on success, 0 otherwise.
 
 =cut
 
@@ -729,12 +729,9 @@ sub validate_can_edit {
     my $user = Bugzilla->user;
 
     # The submitter can edit their attachments.
-    return 1 if ($attachment->attacher->id == $user->id
-                 || ((!$attachment->isprivate || $user->is_insider)
-                      && $user->in_group('editbugs', $product_id)));
-
-    # If we come here, then this attachment cannot be edited by the user.
-    ThrowUserError('illegal_attachment_edit', { attach_id => $attachment->id });
+    return ($attachment->attacher->id == $user->id
+            || ((!$attachment->isprivate || $user->is_insider)
+                 && $user->in_group('editbugs', $product_id))) ? 1 : 0;
 }
 
 =item C<validate_obsolete($bug)>
@@ -769,7 +766,8 @@ sub validate_obsolete {
           || ThrowUserError('invalid_attach_id', $vars);
 
         # Check that the user can view and edit this attachment.
-        $attachment->validate_can_edit($bug->product_id);
+        $attachment->validate_can_edit($bug->product_id)
+          || ThrowUserError('illegal_attachment_edit', { attach_id => $attachment->id });
 
         $vars->{'description'} = $attachment->description;