diff options
Diffstat (limited to 'attachment.cgi')
-rwxr-xr-x | attachment.cgi | 99 |
1 files changed, 63 insertions, 36 deletions
diff --git a/attachment.cgi b/attachment.cgi index 5614549e4..9f3b39fcc 100755 --- a/attachment.cgi +++ b/attachment.cgi @@ -109,6 +109,7 @@ elsif ($action eq "update") validateIsPatch(); validateContentType() unless $::FORM{'ispatch'}; validateIsObsolete(); + validatePrivate(); validateStatuses(); update(); } @@ -125,22 +126,25 @@ exit; sub validateID { - # Validate the value of the "id" form field, which must contain an - # integer that is the ID of an existing attachment. + # Validate the value of the "id" form field, which must contain an + # integer that is the ID of an existing attachment. - detaint_natural($::FORM{'id'}) - || DisplayError("You did not enter a valid attachment number.") + detaint_natural($::FORM{'id'}) + || DisplayError("You did not enter a valid attachment number.") && exit; - # Make sure the attachment exists in the database. - SendSQL("SELECT bug_id FROM attachments WHERE attach_id = $::FORM{'id'}"); - MoreSQLData() - || DisplayError("Attachment #$::FORM{'id'} does not exist.") - && exit; + # Make sure the attachment exists in the database. + SendSQL("SELECT bug_id, isprivate FROM attachments WHERE attach_id = $::FORM{'id'}"); + MoreSQLData() + || DisplayError("Attachment #$::FORM{'id'} does not exist.") + && exit; - # Make sure the user is authorized to access this attachment's bug. - my ($bugid) = FetchSQLData(); - ValidateBugID($bugid); + # Make sure the user is authorized to access this attachment's bug. + my ($bugid, $isprivate) = FetchSQLData(); + ValidateBugID($bugid); + if (($isprivate > 0 ) && Param("insidergroup") && !(UserInGroup(Param("insidergroup")))) { + ThrowUserError("You are not permitted access to this attachment."); + } } sub validateCanEdit @@ -244,6 +248,14 @@ sub validateIsObsolete $::FORM{'isobsolete'} = $::FORM{'isobsolete'} ? 1 : 0; } +sub validatePrivate +{ + # Set the isprivate flag to zero if it is undefined, since the UI uses + # an HTML checkbox to represent this flag, and unchecked HTML checkboxes + # do not get sent in HTML requests. + $::FORM{'isprivate'} = $::FORM{'isprivate'} ? 1 : 0; +} + sub validateStatuses { # Get a list of attachment statuses that are valid for this attachment. @@ -354,16 +366,16 @@ sub validateObsolete sub view { - # Display an attachment. + # Display an attachment. - # Retrieve the attachment content and its content type from the database. - SendSQL("SELECT mimetype, thedata FROM attachments WHERE attach_id = $::FORM{'id'}"); - my ($contenttype, $thedata) = FetchSQLData(); + # Retrieve the attachment content and its content type from the database. + SendSQL("SELECT mimetype, thedata FROM attachments WHERE attach_id = $::FORM{'id'}"); + my ($contenttype, $thedata) = FetchSQLData(); - # Return the appropriate HTTP response headers. - print "Content-Type: $contenttype\n\n"; + # Return the appropriate HTTP response headers. + print "Content-Type: $contenttype\n\n"; - print $thedata; + print $thedata; } @@ -373,14 +385,20 @@ sub viewall # Retrieve the attachments from the database and write them into an array # of hashes where each hash represents one attachment. - SendSQL("SELECT attach_id, creation_ts, mimetype, description, ispatch, isobsolete - FROM attachments WHERE bug_id = $::FORM{'bugid'} ORDER BY attach_id"); + my $privacy = ""; + if (Param("insidergroup") && !(UserInGroup(Param("insidergroup")))) { + $privacy = "AND isprivate < 1 "; + } + SendSQL("SELECT attach_id, creation_ts, mimetype, description, + ispatch, isobsolete, isprivate + FROM attachments WHERE bug_id = $::FORM{'bugid'} $privacy + ORDER BY attach_id"); my @attachments; # the attachments array while (MoreSQLData()) { my %a; # the attachment hash ($a{'attachid'}, $a{'date'}, $a{'contenttype'}, - $a{'description'}, $a{'ispatch'}, $a{'isobsolete'}) = FetchSQLData(); + $a{'description'}, $a{'ispatch'}, $a{'isobsolete'}, $a{'isprivate'}) = FetchSQLData(); # Flag attachments as to whether or not they can be viewed (as opposed to # being downloaded). Currently I decide they are viewable if their MIME type @@ -432,7 +450,7 @@ sub enter if (!UserInGroup("editbugs")) { $canEdit = "AND submitter_id = $::userid"; } - SendSQL("SELECT attach_id, description + SendSQL("SELECT attach_id, description, isprivate FROM attachments WHERE bug_id = $::FORM{'bugid'} AND isobsolete = 0 $canEdit @@ -440,7 +458,7 @@ sub enter my @attachments; # the attachments array while ( MoreSQLData() ) { my %a; # the attachment hash - ($a{'id'}, $a{'description'}) = FetchSQLData(); + ($a{'id'}, $a{'description'}, $a{'isprivate'}) = FetchSQLData(); # Add the hash representing the attachment to the array of attachments. push @attachments, \%a; @@ -473,10 +491,11 @@ sub insert my $description = SqlQuote($::FORM{'description'}); my $contenttype = SqlQuote($::FORM{'contenttype'}); my $thedata = SqlQuote($::FORM{'data'}); + my $isprivate = $::FORM{'isprivate'} ? 1 : 0; # Insert the attachment into the database. - SendSQL("INSERT INTO attachments (bug_id, creation_ts, filename, description, mimetype, ispatch, submitter_id, thedata) - VALUES ($::FORM{'bugid'}, now(), $filename, $description, $contenttype, $::FORM{'ispatch'}, $::userid, $thedata)"); + SendSQL("INSERT INTO attachments (bug_id, creation_ts, filename, description, mimetype, ispatch, isprivate, submitter_id, thedata) + VALUES ($::FORM{'bugid'}, now(), $filename, $description, $contenttype, $::FORM{'ispatch'}, $isprivate, $::userid, $thedata)"); # Retrieve the ID of the newly created attachment record. SendSQL("SELECT LAST_INSERT_ID()"); @@ -493,14 +512,15 @@ sub insert AppendComment($::FORM{'bugid'}, $::COOKIE{"Bugzilla_login"}, - $comment); + $comment, + $isprivate); # Make existing attachments obsolete. my $fieldid = GetFieldID('attachments.isobsolete'); foreach my $attachid (@{$::MFORM{'obsolete'}}) { - SendSQL("UPDATE attachments SET isobsolete = 1 WHERE attach_id = $attachid"); - SendSQL("INSERT INTO bugs_activity (bug_id, attach_id, who, bug_when, fieldid, removed, added) - VALUES ($::FORM{'bugid'}, $attachid, $::userid, NOW(), $fieldid, '0', '1')"); + SendSQL("UPDATE attachments SET isobsolete = 1 WHERE attach_id = $attachid"); + SendSQL("INSERT INTO bugs_activity (bug_id, attach_id, who, bug_when, fieldid, removed, added) + VALUES ($::FORM{'bugid'}, $attachid, $::userid, NOW(), $fieldid, '0', '1')"); } # Send mail to let people know the attachment has been created. Uses a @@ -540,9 +560,9 @@ sub edit # Users cannot edit the content of the attachment itself. # Retrieve the attachment from the database. - SendSQL("SELECT description, mimetype, bug_id, ispatch, isobsolete + SendSQL("SELECT description, mimetype, bug_id, ispatch, isobsolete, isprivate FROM attachments WHERE attach_id = $::FORM{'id'}"); - my ($description, $contenttype, $bugid, $ispatch, $isobsolete) = FetchSQLData(); + my ($description, $contenttype, $bugid, $ispatch, $isobsolete, $isprivate) = FetchSQLData(); # Flag attachment as to whether or not it can be viewed (as opposed to # being downloaded). Currently I decide it is viewable if its content @@ -592,6 +612,7 @@ sub edit $vars->{'bugsummary'} = $bugsummary; $vars->{'ispatch'} = $ispatch; $vars->{'isobsolete'} = $isobsolete; + $vars->{'isprivate'} = $isprivate; $vars->{'isviewable'} = $isviewable; $vars->{'statuses'} = \%statuses; $vars->{'statusdefs'} = \@statusdefs; @@ -619,12 +640,12 @@ sub update # Lock database tables in preparation for updating the attachment. SendSQL("LOCK TABLES attachments WRITE , attachstatuses WRITE , attachstatusdefs READ , fielddefs READ , bugs_activity WRITE"); - # Get a copy of the attachment record before we make changes # so we can record those changes in the activity table. - SendSQL("SELECT description, mimetype, ispatch, isobsolete + SendSQL("SELECT description, mimetype, ispatch, isobsolete, isprivate FROM attachments WHERE attach_id = $::FORM{'id'}"); - my ($olddescription, $oldcontenttype, $oldispatch, $oldisobsolete) = FetchSQLData(); + my ($olddescription, $oldcontenttype, $oldispatch, $oldisobsolete, + $oldisprivate ) = FetchSQLData(); # Get the list of old status flags. SendSQL("SELECT attachstatusdefs.name @@ -672,6 +693,7 @@ sub update mimetype = $quotedcontenttype , ispatch = $::FORM{'ispatch'} , isobsolete = $::FORM{'isobsolete'} + isprivate = $::FORM{'isprivate'} , WHERE attach_id = $::FORM{'id'} "); @@ -698,6 +720,11 @@ sub update SendSQL("INSERT INTO bugs_activity (bug_id, attach_id, who, bug_when, fieldid, removed, added) VALUES ($bugid, $::FORM{'id'}, $::userid, NOW(), $fieldid, $oldisobsolete, $::FORM{'isobsolete'})"); } + if ($oldisprivate ne $::FORM{'isprivate'}) { + my $fieldid = GetFieldID('attachments.isprivate'); + SendSQL("INSERT INTO bugs_activity (bug_id, attach_id, who, bug_when, fieldid, removed, added) + VALUES ($bugid, $::FORM{'id'}, $::userid, NOW(), $fieldid, $oldisprivate, $::FORM{'isprivate'})"); + } if ($oldstatuslist ne $newstatuslist) { my ($removed, $added) = DiffStrings($oldstatuslist, $newstatuslist); my $quotedremoved = SqlQuote($removed); @@ -759,7 +786,7 @@ sub update my $neverused = $::userid; # Append the comment to the list of comments in the database. - AppendComment($bugid, $who, $wrappedcomment); + AppendComment($bugid, $who, $wrappedcomment, $::FORM{'isprivate'}); } |