From 5b595f757ec207f03b6e36fe30d5e2ee517c64ca Mon Sep 17 00:00:00 2001
From: "lpsolit%gmail.com" <>
Date: Mon, 28 Sep 2009 17:24:16 +0000
Subject: Bug 140999: Users without edit permissions for an attachment should
 still be able to make comments - Patch by Frédéric Buclin
 <LpSolit@gmail.com> a=LpSolit
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 attachment.cgi | 82 ++++++++++++++++++++++++++++++++--------------------------
 1 file changed, 45 insertions(+), 37 deletions(-)

(limited to 'attachment.cgi')

diff --git a/attachment.cgi b/attachment.cgi
index bbbf4afb3..32f6e5ec0 100755
--- a/attachment.cgi
+++ b/attachment.cgi
@@ -572,37 +572,39 @@ sub update {
     my $attachment = validateID();
     my $bug = $attachment->bug;
     $attachment->_check_bug;
-    $attachment->validate_can_edit($bug->product_id); # FIXME: allow comments anyway.
-
-    $attachment->set_description(scalar $cgi->param('description'));
-    $attachment->set_is_patch(scalar $cgi->param('ispatch'));
-    $attachment->set_content_type(scalar $cgi->param('contenttypeentry'));
-    $attachment->set_is_obsolete(scalar $cgi->param('isobsolete'));
-    $attachment->set_is_private(scalar $cgi->param('isprivate'));
-    $attachment->set_filename(scalar $cgi->param('filename'));
-
-    # Now make sure the attachment has not been edited since we loaded the page.
-    if (defined $cgi->param('delta_ts')
-        && $cgi->param('delta_ts') ne $attachment->modification_time)
-    {
-        ($vars->{'operations'}) =
-            Bugzilla::Bug::GetBugActivity($bug->id, $attachment->id, $cgi->param('delta_ts'));
-
-        # The token contains the old modification_time. We need a new one.
-        $cgi->param('token', issue_hash_token([$attachment->id, $attachment->modification_time]));
-
-        # If the modification date changed but there is no entry in
-        # the activity table, this means someone commented only.
-        # In this case, there is no reason to midair.
-        if (scalar(@{$vars->{'operations'}})) {
-            $cgi->param('delta_ts', $attachment->modification_time);
-            $vars->{'attachment'} = $attachment;
-
-            print $cgi->header();
-            # Warn the user about the mid-air collision and ask them what to do.
-            $template->process("attachment/midair.html.tmpl", $vars)
-              || ThrowTemplateError($template->error());
-            exit;
+    my $can_edit = $attachment->validate_can_edit($bug->product_id);
+
+    if ($can_edit) {
+        $attachment->set_description(scalar $cgi->param('description'));
+        $attachment->set_is_patch(scalar $cgi->param('ispatch'));
+        $attachment->set_content_type(scalar $cgi->param('contenttypeentry'));
+        $attachment->set_is_obsolete(scalar $cgi->param('isobsolete'));
+        $attachment->set_is_private(scalar $cgi->param('isprivate'));
+        $attachment->set_filename(scalar $cgi->param('filename'));
+
+        # Now make sure the attachment has not been edited since we loaded the page.
+        if (defined $cgi->param('delta_ts')
+            && $cgi->param('delta_ts') ne $attachment->modification_time)
+        {
+            ($vars->{'operations'}) =
+                Bugzilla::Bug::GetBugActivity($bug->id, $attachment->id, $cgi->param('delta_ts'));
+
+            # The token contains the old modification_time. We need a new one.
+            $cgi->param('token', issue_hash_token([$attachment->id, $attachment->modification_time]));
+
+            # If the modification date changed but there is no entry in
+            # the activity table, this means someone commented only.
+            # In this case, there is no reason to midair.
+            if (scalar(@{$vars->{'operations'}})) {
+                $cgi->param('delta_ts', $attachment->modification_time);
+                $vars->{'attachment'} = $attachment;
+
+                print $cgi->header();
+                # Warn the user about the mid-air collision and ask them what to do.
+                $template->process("attachment/midair.html.tmpl", $vars)
+                  || ThrowTemplateError($template->error());
+                exit;
+            }
         }
     }
 
@@ -622,16 +624,22 @@ sub update {
         $bug->add_comment($comment, { isprivate => $attachment->isprivate });
     }
 
-    my ($flags, $new_flags) = Bugzilla::Flag->extract_flags_from_cgi($bug, $attachment, $vars);
-    $attachment->set_flags($flags, $new_flags);
+    if ($can_edit) {
+        my ($flags, $new_flags) =
+          Bugzilla::Flag->extract_flags_from_cgi($bug, $attachment, $vars);
+        $attachment->set_flags($flags, $new_flags);
+    }
 
     # Figure out when the changes were made.
     my $timestamp = $dbh->selectrow_array('SELECT LOCALTIMESTAMP(0)');
 
-    my $changes = $attachment->update($timestamp);
-    # If there are changes, we updated delta_ts in the DB. We have to
-    # reflect this change in the bug object.
-    $bug->{delta_ts} = $timestamp if scalar(keys %$changes);
+    if ($can_edit) {
+        my $changes = $attachment->update($timestamp);
+        # If there are changes, we updated delta_ts in the DB. We have to
+        # reflect this change in the bug object.
+        $bug->{delta_ts} = $timestamp if scalar(keys %$changes);
+    }
+
     # Commit the comment, if any.
     $bug->update($timestamp);
 
-- 
cgit v1.2.3-24-g4f1b