From 6bd37cce67502e54410dde53f615b5d9b860a4be Mon Sep 17 00:00:00 2001
From: "bugreport%peshkin.net" <>
Date: Wed, 11 Dec 2002 08:41:19 +0000
Subject: Bug 184256 Canedit group_control_map entry does not prevent making
 attachments r=bbaetz a=justdave

---
 attachment.cgi | 26 ++++++++++++++++++++++++++
 1 file changed, 26 insertions(+)

(limited to 'attachment.cgi')

diff --git a/attachment.cgi b/attachment.cgi
index 27c2c107c..5c3ce09ac 100755
--- a/attachment.cgi
+++ b/attachment.cgi
@@ -77,12 +77,14 @@ elsif ($action eq "enter")
 { 
   confirm_login();
   ValidateBugID($::FORM{'bugid'});
+  validateCanChangeBug($::FORM{'bugid'});
   enter(); 
 }
 elsif ($action eq "insert")
 {
   confirm_login();
   ValidateBugID($::FORM{'bugid'});
+  validateCanChangeBug($::FORM{'bugid'});
   ValidateComment($::FORM{'comment'});
   validateFilename();
   validateIsPatch();
@@ -105,6 +107,7 @@ elsif ($action eq "update")
   ValidateComment($::FORM{'comment'});
   validateID();
   validateCanEdit($::FORM{'id'});
+  validateCanChangeAttachment($::FORM{'id'});
   validateDescription();
   validateIsPatch();
   validateContentType() unless $::FORM{'ispatch'};
@@ -171,6 +174,29 @@ sub validateCanEdit
       || ThrowUserError("illegal_attachment_edit");
 }
 
+sub validateCanChangeAttachment 
+{
+    my ($attachid) = @_;
+    SendSQL("SELECT product_id
+             FROM attachments, bugs 
+             WHERE attach_id = $attachid
+             AND bugs.bug_id = attachments.bug_id");
+    my $productid = FetchOneColumn();
+    CanEditProductId($productid)
+      || ThrowUserError("illegal_attachment_edit");
+}
+
+sub validateCanChangeBug
+{
+    my ($bugid) = @_;
+    SendSQL("SELECT product_id
+             FROM bugs 
+             WHERE bug_id = $bugid");
+    my $productid = FetchOneColumn();
+    CanEditProductId($productid)
+      || ThrowUserError("illegal_attachment_edit");
+}
+
 sub validateDescription
 {
   $::FORM{'description'}
-- 
cgit v1.2.3-24-g4f1b