diff options
Diffstat (limited to 'attachment.cgi')
-rwxr-xr-x | attachment.cgi | 26 |
1 files changed, 26 insertions, 0 deletions
diff --git a/attachment.cgi b/attachment.cgi index 27c2c107c..5c3ce09ac 100755 --- a/attachment.cgi +++ b/attachment.cgi @@ -77,12 +77,14 @@ elsif ($action eq "enter") { confirm_login(); ValidateBugID($::FORM{'bugid'}); + validateCanChangeBug($::FORM{'bugid'}); enter(); } elsif ($action eq "insert") { confirm_login(); ValidateBugID($::FORM{'bugid'}); + validateCanChangeBug($::FORM{'bugid'}); ValidateComment($::FORM{'comment'}); validateFilename(); validateIsPatch(); @@ -105,6 +107,7 @@ elsif ($action eq "update") ValidateComment($::FORM{'comment'}); validateID(); validateCanEdit($::FORM{'id'}); + validateCanChangeAttachment($::FORM{'id'}); validateDescription(); validateIsPatch(); validateContentType() unless $::FORM{'ispatch'}; @@ -171,6 +174,29 @@ sub validateCanEdit || ThrowUserError("illegal_attachment_edit"); } +sub validateCanChangeAttachment +{ + my ($attachid) = @_; + SendSQL("SELECT product_id + FROM attachments, bugs + WHERE attach_id = $attachid + AND bugs.bug_id = attachments.bug_id"); + my $productid = FetchOneColumn(); + CanEditProductId($productid) + || ThrowUserError("illegal_attachment_edit"); +} + +sub validateCanChangeBug +{ + my ($bugid) = @_; + SendSQL("SELECT product_id + FROM bugs + WHERE bug_id = $bugid"); + my $productid = FetchOneColumn(); + CanEditProductId($productid) + || ThrowUserError("illegal_attachment_edit"); +} + sub validateDescription { $::FORM{'description'} |