Bug 184256 Canedit group_control_map entry does not prevent making attachments

r=bbaetz a=justdave

Bug 184256 Canedit group_control_map entry does not prevent making attachments
6bd37cce · bugreport%peshkin.net · c457b4c4 · 6bd37cce · 6bd37cce · 6bd37cce
Commit 6bd37cce authored Dec 11, 2002 by bugreport%peshkin.net
Hide whitespace changes
Inline Side-by-side

Showing with 40 additions and 4 deletions

Attachment.pm Attachment.pm +7 -2

Attachment.pm Bugzilla/Attachment.pm +7 -2

attachment.cgi attachment.cgi +26 -0

No files found.
--- a/Attachment.pm
+++ b/Attachment.pm
@@ -65,6 +65,11 @@ sub query
  my ($bugid) = @_;

  my $in_editbugs = &::UserInGroup("editbugs");
+  &::SendSQL("SELECT product_id
+           FROM bugs 
+           WHERE bug_id = $bugid");
+  my $productid = &::FetchOneColumn();
+  my $caneditproduct = &::CanEditProductId($productid);

  # Retrieve a list of attachments for this bug and write them into an array
  # of hashes in which each hash represents a single attachment.
@@ -88,8 +93,8 @@ sub query
    # ie the are the submitter, or they have canedit.
    # Also show the link if the user is not logged in - in that cae,
    # They'll be prompted later
-    $a{'canedit'} = ($::userid == 0 || $submitter_id == $::userid ||
-                     $in_editbugs);
+    $a{'canedit'} = ($::userid == 0 || (($submitter_id == $::userid ||
+                     $in_editbugs) && $caneditproduct));
    push @attachments, \%a;
  }
  

--- a/Bugzilla/Attachment.pm
+++ b/Bugzilla/Attachment.pm
@@ -65,6 +65,11 @@ sub query
  my ($bugid) = @_;

  my $in_editbugs = &::UserInGroup("editbugs");
+  &::SendSQL("SELECT product_id
+           FROM bugs 
+           WHERE bug_id = $bugid");
+  my $productid = &::FetchOneColumn();
+  my $caneditproduct = &::CanEditProductId($productid);

  # Retrieve a list of attachments for this bug and write them into an array
  # of hashes in which each hash represents a single attachment.
@@ -88,8 +93,8 @@ sub query
    # ie the are the submitter, or they have canedit.
    # Also show the link if the user is not logged in - in that cae,
    # They'll be prompted later
-    $a{'canedit'} = ($::userid == 0 || $submitter_id == $::userid ||
-                     $in_editbugs);
+    $a{'canedit'} = ($::userid == 0 || (($submitter_id == $::userid ||
+                     $in_editbugs) && $caneditproduct));
    push @attachments, \%a;
  }
  

--- a/attachment.cgi
+++ b/attachment.cgi
@@ -77,12 +77,14 @@ elsif ($action eq "enter")
 { 
  confirm_login();
  ValidateBugID($::FORM{'bugid'});
+  validateCanChangeBug($::FORM{'bugid'});
  enter(); 
 }
 elsif ($action eq "insert")
 {
  confirm_login();
  ValidateBugID($::FORM{'bugid'});
+  validateCanChangeBug($::FORM{'bugid'});
  ValidateComment($::FORM{'comment'});
  validateFilename();
  validateIsPatch();
@@ -105,6 +107,7 @@ elsif ($action eq "update")
  ValidateComment($::FORM{'comment'});
  validateID();
  validateCanEdit($::FORM{'id'});
+  validateCanChangeAttachment($::FORM{'id'});
  validateDescription();
  validateIsPatch();
  validateContentType() unless $::FORM{'ispatch'};
@@ -171,6 +174,29 @@ sub validateCanEdit
      || ThrowUserError("illegal_attachment_edit");
 }

+sub validateCanChangeAttachment 
+{
+    my ($attachid) = @_;
+    SendSQL("SELECT product_id
+             FROM attachments, bugs 
+             WHERE attach_id = $attachid
+             AND bugs.bug_id = attachments.bug_id");
+    my $productid = FetchOneColumn();
+    CanEditProductId($productid)
+      || ThrowUserError("illegal_attachment_edit");
+}
+
+sub validateCanChangeBug
+{
+    my ($bugid) = @_;
+    SendSQL("SELECT product_id
+             FROM bugs 
+             WHERE bug_id = $bugid");
+    my $productid = FetchOneColumn();
+    CanEditProductId($productid)
+      || ThrowUserError("illegal_attachment_edit");
+}
+
 sub validateDescription
 {
  $::FORM{'description'}