diff options
author | bbaetz%student.usyd.edu.au <> | 2002-02-26 15:13:33 +0100 |
---|---|---|
committer | bbaetz%student.usyd.edu.au <> | 2002-02-26 15:13:33 +0100 |
commit | 8e03a8495526725e59ab07586afbb4130ad5f7cd (patch) | |
tree | d7faf0eda197e277cede26105763fb78a22b8bcf /attachment.cgi | |
parent | aa8bcb0d7a825d53a26e200c52dec2fa2f585ab1 (diff) | |
download | bugzilla-8e03a8495526725e59ab07586afbb4130ad5f7cd.tar.gz bugzilla-8e03a8495526725e59ab07586afbb4130ad5f7cd.tar.xz |
Bug 97729 - uploaders need to be able to obsolete their own attachments
r=jake, justdave
Diffstat (limited to 'attachment.cgi')
-rwxr-xr-x | attachment.cgi | 60 |
1 files changed, 39 insertions, 21 deletions
diff --git a/attachment.cgi b/attachment.cgi index ea17c29e5..32b4ef461 100755 --- a/attachment.cgi +++ b/attachment.cgi @@ -87,16 +87,16 @@ elsif ($action eq "insert") } elsif ($action eq "edit") { + quietly_check_login(); validateID(); + validateCanEdit($::FORM{'id'}); edit(); } elsif ($action eq "update") { confirm_login(); - UserInGroup("editbugs") - || DisplayError("You are not authorized to edit attachments.") - && exit; validateID(); + validateCanEdit($::FORM{'id'}); validateDescription(); validateIsPatch(); validateContentType() unless $::FORM{'ispatch'}; @@ -135,6 +135,28 @@ sub validateID ValidateBugID($bugid); } +sub validateCanEdit +{ + my ($attach_id) = (@_); + + # If the user is not logged in, claim that they can edit. This allows + # the edit scrren to be displayed to people who aren't logged in. + # People not logged in can't actually commit changes, because that code + # calls confirm_login, not quietly_check_login, before calling this sub + return if $::userid == 0; + + # People in editbugs can edit all attachments + return if UserInGroup("editbugs"); + + # Bug 97729 - the submitter can edit their attachments + SendSQL("SELECT attach_id FROM attachments WHERE " . + "attach_id = $attach_id AND submitter_id = $::userid"); + + FetchSQLData() + || DisplayError("You are not authorised to edit attachment #$attach_id") + && exit; +} + sub validateDescription { $::FORM{'description'} @@ -278,15 +300,6 @@ sub validateFilename sub validateObsolete { - # When a user creates an attachment, they can request that one or more - # existing attachments be made obsolete. This function makes sure they - # are authorized to make changes to attachments and that the IDs of the - # attachments they selected for obsoletion are all valid. - UserInGroup("editbugs") - || DisplayError("You must be authorized to make changes to attachments - to make attachments obsolete when creating a new attachment.") - && exit; - # Make sure the attachment id is valid and the user has permissions to view # the bug to which it is attached. foreach my $attachid (@{$::MFORM{'obsolete'}}) { @@ -305,9 +318,6 @@ sub validateObsolete my ($bugid, $isobsolete, $description) = FetchSQLData(); - # Make sure the user is authorized to access this attachment's bug. - ValidateBugID($bugid); - if ($bugid != $::FORM{'bugid'}) { $description = html_quote($description); @@ -323,6 +333,9 @@ sub validateObsolete DisplayError("Attachment #$attachid ($description) is already obsolete."); exit; } + + # Check that the user can modify this attachment + validateCanEdit($attachid); } } @@ -411,12 +424,16 @@ sub enter { # Display a form for entering a new attachment. - # Retrieve the attachments from the database and write them into an array - # of hashes where each hash represents one attachment. + # Retrieve the attachments the user can edit from the database and write + # them into an array of hashes where each hash represents one attachment. + my $canEdit = ""; + if (!UserInGroup("editbugs")) { + $canEdit = "AND submitter_id = $::userid"; + } SendSQL("SELECT attach_id, description FROM attachments WHERE bug_id = $::FORM{'bugid'} - AND isobsolete = 0 + AND isobsolete = 0 $canEdit ORDER BY attach_id"); my @attachments; # the attachments array while ( MoreSQLData() ) { @@ -516,9 +533,10 @@ sub insert sub edit { - # Edit an attachment record. Users with "editbugs" privileges can edit the - # attachment's description, content type, ispatch and isobsolete flags, and - # statuses, and they can also submit a comment that appears in the bug. + # Edit an attachment record. Users with "editbugs" privileges, (or the + # original attachment's submitter) can edit the attachment's description, + # content type, ispatch and isobsolete flags, and statuses, and they can + # also submit a comment that appears in the bug. # Users cannot edit the content of the attachment itself. # Retrieve the attachment from the database. |