summaryrefslogtreecommitdiffstats
path: root/attachment.cgi
diff options
context:
space:
mode:
authorlpsolit%gmail.com <>2006-04-18 05:19:35 +0200
committerlpsolit%gmail.com <>2006-04-18 05:19:35 +0200
commit246f6778660fe4a878b1f08eee175b1076c5e224 (patch)
treeea21520a5859f2820eefdefa74829783cc3116a9 /attachment.cgi
parent3811d9d8a825a4aadaea2ac8e489d410fe408e28 (diff)
downloadbugzilla-246f6778660fe4a878b1f08eee175b1076c5e224.tar.gz
bugzilla-246f6778660fe4a878b1f08eee175b1076c5e224.tar.xz
Bug 44595: Implement an interface for administrators to delete attachments - Patch by Frédéric Buclin <LpSolit@gmail.com> r=wicked, justdave a=justdave
Diffstat (limited to 'attachment.cgi')
-rwxr-xr-xattachment.cgi83
1 files changed, 83 insertions, 0 deletions
diff --git a/attachment.cgi b/attachment.cgi
index c212c6f36..fbe0bd054 100755
--- a/attachment.cgi
+++ b/attachment.cgi
@@ -49,6 +49,7 @@ use Bugzilla::Util;
use Bugzilla::Bug;
use Bugzilla::Field;
use Bugzilla::Attachment;
+use Bugzilla::Token;
Bugzilla->login();
@@ -103,6 +104,9 @@ elsif ($action eq "update")
Bugzilla->login(LOGIN_REQUIRED);
update();
}
+elsif ($action eq "delete") {
+ delete_attachment();
+}
else
{
ThrowCodeError("unknown_action", { action => $action });
@@ -1329,3 +1333,82 @@ sub update
$template->process("attachment/updated.html.tmpl", $vars)
|| ThrowTemplateError($template->error());
}
+
+# Only administrators can delete attachments.
+sub delete_attachment {
+ my $user = Bugzilla->login(LOGIN_REQUIRED);
+ my $dbh = Bugzilla->dbh;
+
+ print $cgi->header();
+
+ $user->in_group('admin')
+ || ThrowUserError('auth_failure', {group => 'admin',
+ action => 'delete',
+ object => 'attachment'});
+
+ Param('allow_attachment_deletion')
+ || ThrowUserError('attachment_deletion_disabled');
+
+ # Make sure the administrator is allowed to edit this attachment.
+ my ($attach_id, $bug_id) = validateID();
+ validateCanEdit($attach_id);
+ validateCanChangeAttachment($attach_id);
+
+ my $attachment = Bugzilla::Attachment->get($attach_id);
+ $attachment->datasize || ThrowUserError('attachment_removed');
+
+ # We don't want to let a malicious URL accidentally delete an attachment.
+ my $token = trim($cgi->param('token'));
+ if ($token) {
+ my ($creator_id, $date, $event) = Bugzilla::Token::GetTokenData($token);
+ unless ($creator_id
+ && ($creator_id == $user->id)
+ && ($event eq "attachment$attach_id"))
+ {
+ # The token is invalid.
+ ThrowUserError('token_inexistent');
+ }
+
+ # The token is valid. Delete the content of the attachment.
+ my $msg;
+ $vars->{'attachid'} = $attach_id;
+ $vars->{'bugid'} = $bug_id;
+ $vars->{'date'} = $date;
+ $vars->{'reason'} = clean_text($cgi->param('reason') || '');
+ $vars->{'mailrecipients'} = { 'changer' => $user->login };
+
+ $template->process("attachment/delete_reason.txt.tmpl", $vars, \$msg)
+ || ThrowTemplateError($template->error());
+
+ $dbh->bz_lock_tables('attachments WRITE', 'attach_data WRITE', 'flags WRITE');
+ $dbh->do('DELETE FROM attach_data WHERE id = ?', undef, $attach_id);
+ $dbh->do('UPDATE attachments SET mimetype = ?, ispatch = ?, isurl = ?
+ WHERE attach_id = ?', undef, ('text/plain', 0, 0, $attach_id));
+ $dbh->do('DELETE FROM flags WHERE attach_id = ?', undef, $attach_id);
+ $dbh->bz_unlock_tables;
+
+ # If the attachment is stored locally, remove it.
+ if (-e $attachment->_get_local_filename) {
+ unlink $attachment->_get_local_filename;
+ }
+
+ # Now delete the token.
+ Bugzilla::Token::DeleteToken($token);
+
+ # Paste the reason provided by the admin into a comment.
+ AppendComment($bug_id, $user->id, $msg);
+
+ $template->process("attachment/updated.html.tmpl", $vars)
+ || ThrowTemplateError($template->error());
+ }
+ else {
+ # Create a token.
+ $token = Bugzilla::Token::IssueSessionToken('attachment' . $attach_id);
+
+ $vars->{'a'} = $attachment;
+ $vars->{'token'} = $token;
+
+ $template->process("attachment/confirm-delete.html.tmpl", $vars)
+ || ThrowTemplateError($template->error());
+ }
+}