From 1427884e689fa9c470f88bdefc7eabbb87b047c6 Mon Sep 17 00:00:00 2001 From: "lpsolit%gmail.com" <> Date: Tue, 14 Aug 2007 17:34:45 +0000 Subject: Bug 392175: Move isViewable out of attachment.cgi + some other minor cleanup - Patch by Frédéric Buclin MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- Bugzilla/Attachment.pm | 49 ++++++++++++++++++++++++++++++++++++++----------- 1 file changed, 38 insertions(+), 11 deletions(-) (limited to 'Bugzilla/Attachment.pm') diff --git a/Bugzilla/Attachment.pm b/Bugzilla/Attachment.pm index 893c46682..736959b2f 100644 --- a/Bugzilla/Attachment.pm +++ b/Bugzilla/Attachment.pm @@ -283,6 +283,40 @@ sub isprivate { =over +=item C + +Returns 1 if the attachment has a content-type viewable in this browser. +Note that we don't use $cgi->Accept()'s ability to check if a content-type +matches, because this will return a value even if it's matched by the generic +*/* which most browsers add to the end of their Accept: headers. + +=back + +=cut + +sub is_viewable { + my $self = shift; + my $contenttype = $self->contenttype; + my $cgi = Bugzilla->cgi; + + # We assume we can view all text and image types. + return 1 if ($contenttype =~ /^(text|image)\//); + + # Mozilla can view XUL. Note the trailing slash on the Gecko detection to + # avoid sending XUL to Safari. + return 1 if (($contenttype =~ /^application\/vnd\.mozilla\./) + && ($cgi->user_agent() =~ /Gecko\//)); + + # If it's not one of the above types, we check the Accept: header for any + # types mentioned explicitly. + my $accept = join(",", $cgi->Accept()); + return 1 if ($accept =~ /^(.*,)?\Q$contenttype\E(,.*)?$/); + + return 0; +} + +=over + =item C the content of the attachment @@ -625,19 +659,12 @@ Returns: 1 on success. Else an error is thrown. sub validate_can_edit { my ($attachment, $product_id) = @_; - my $dbh = Bugzilla->dbh; my $user = Bugzilla->user; - # Bug 97729 - the submitter can edit their attachments. - return if ($attachment->attacher->id == $user->id); - - # Only users in the insider group can view private attachments. - if ($attachment->isprivate && !$user->is_insider) { - ThrowUserError('illegal_attachment_edit', {attach_id => $attachment->id}); - } - - # Users with editbugs privs can edit all attachments. - return if $user->in_group('editbugs', $product_id); + # The submitter can edit their attachments. + return 1 if ($attachment->attacher->id == $user->id + || ((!$attachment->isprivate || $user->is_insider) + && $user->in_group('editbugs', $product_id))); # If we come here, then this attachment cannot be seen by the user. ThrowUserError('illegal_attachment_edit', { attach_id => $attachment->id }); -- cgit v1.2.3-24-g4f1b