summaryrefslogtreecommitdiffstats
path: root/attachment.cgi
diff options
context:
space:
mode:
Diffstat (limited to 'attachment.cgi')
-rwxr-xr-xattachment.cgi31
1 files changed, 31 insertions, 0 deletions
diff --git a/attachment.cgi b/attachment.cgi
index 937087a51..2520c0032 100755
--- a/attachment.cgi
+++ b/attachment.cgi
@@ -327,6 +327,7 @@ sub enter {
'component_id' => $bug->component_id});
$vars->{'flag_types'} = $flag_types;
$vars->{'any_flags_requesteeble'} = grep($_->is_requesteeble, @$flag_types);
+ $vars->{'token'} = issue_session_token('createattachment:');
print $cgi->header();
@@ -348,6 +349,30 @@ sub insert {
validateCanChangeBug($bugid);
my ($timestamp) = Bugzilla->dbh->selectrow_array("SELECT NOW()");
+ # Detect if the user already used the same form to submit an attachment
+ my $token = trim($cgi->param('token'));
+ if ($token) {
+ my ($creator_id, $date, $old_attach_id) = Bugzilla::Token::GetTokenData($token);
+ unless ($creator_id
+ && ($creator_id == $user->id)
+ && ($old_attach_id =~ "^createattachment:"))
+ {
+ # The token is invalid.
+ ThrowUserError('token_does_not_exist');
+ }
+
+ $old_attach_id =~ s/^createattachment://;
+
+ if ($old_attach_id) {
+ $vars->{'bugid'} = $bugid;
+ $vars->{'attachid'} = $old_attach_id;
+ print $cgi->header();
+ $template->process("attachment/cancel-create-dupe.html.tmpl", $vars)
+ || ThrowTemplateError($template->error());
+ exit;
+ }
+ }
+
my $bug = new Bugzilla::Bug($bugid);
my $attachment =
Bugzilla::Attachment->insert_attachment_for_bug(THROW_ERROR, $bug, $user,
@@ -379,6 +404,12 @@ sub insert {
}
$bug->update($timestamp);
+ if ($token) {
+ trick_taint($token);
+ $dbh->do('UPDATE tokens SET eventdata = ? WHERE token = ?', undef,
+ ("createattachment:" . $attachment->id, $token));
+ }
+
$dbh->bz_commit_transaction;
# Define the variables and functions that will be passed to the UI template.