Skip to content

bugzilla
bugzilla
Commit 5b595f75 authored by lpsolit%gmail.com's avatar lpsolit%gmail.com
Browse files
Options

Bug 140999: Users without edit permissions for an attachment should still be…

Bug 140999: Users without edit permissions for an attachment should still be able to make comments - Patch by Fré©ric Buclin <LpSolit@gmail.com> a=LpSolit
parent c3da6d79
Hide whitespace changes
Inline Side-by-side
Showing with 51 additions and 45 deletions
Bugzilla/Attachment.pm
View file @ 5b595f75
...@@ -720,7 +720,7 @@ Description: validates if the user is allowed to view and edit the attachment. ...@@ -720,7 +720,7 @@ Description: validates if the user is allowed to view and edit the attachment.
Params: $attachment - the attachment object being edited. Params: $attachment - the attachment object being edited.
$product_id - the product ID the attachment belongs to. $product_id - the product ID the attachment belongs to.
Returns: 1 on success. Else an error is thrown. Returns: 1 on success, 0 otherwise.
=cut =cut
...@@ -729,12 +729,9 @@ sub validate_can_edit { ...@@ -729,12 +729,9 @@ sub validate_can_edit {
my $user = Bugzilla->user; my $user = Bugzilla->user;
# The submitter can edit their attachments. # The submitter can edit their attachments.
return 1 if ($attachment->attacher->id == $user->id return ($attachment->attacher->id == $user->id
|| ((!$attachment->isprivate || $user->is_insider) || ((!$attachment->isprivate || $user->is_insider)
&& $user->in_group('editbugs', $product_id))); && $user->in_group('editbugs', $product_id))) ? 1 : 0;
# If we come here, then this attachment cannot be edited by the user.
ThrowUserError('illegal_attachment_edit', { attach_id => $attachment->id });
} }
=item C<validate_obsolete($bug)> =item C<validate_obsolete($bug)>
...@@ -769,7 +766,8 @@ sub validate_obsolete { ...@@ -769,7 +766,8 @@ sub validate_obsolete {
|| ThrowUserError('invalid_attach_id', $vars); || ThrowUserError('invalid_attach_id', $vars);
# Check that the user can view and edit this attachment. # Check that the user can view and edit this attachment.
$attachment->validate_can_edit($bug->product_id); $attachment->validate_can_edit($bug->product_id)
|| ThrowUserError('illegal_attachment_edit', { attach_id => $attachment->id });
$vars->{'description'} = $attachment->description; $vars->{'description'} = $attachment->description;
......
attachment.cgi
View file @ 5b595f75
...@@ -572,37 +572,39 @@ sub update { ...@@ -572,37 +572,39 @@ sub update {
my $attachment = validateID(); my $attachment = validateID();
my $bug = $attachment->bug; my $bug = $attachment->bug;
$attachment->_check_bug; $attachment->_check_bug;
$attachment->validate_can_edit($bug->product_id); # FIXME: allow comments anyway. my $can_edit = $attachment->validate_can_edit($bug->product_id);
$attachment->set_description(scalar $cgi->param('description')); if ($can_edit) {
$attachment->set_is_patch(scalar $cgi->param('ispatch')); $attachment->set_description(scalar $cgi->param('description'));
$attachment->set_content_type(scalar $cgi->param('contenttypeentry')); $attachment->set_is_patch(scalar $cgi->param('ispatch'));
$attachment->set_is_obsolete(scalar $cgi->param('isobsolete')); $attachment->set_content_type(scalar $cgi->param('contenttypeentry'));
$attachment->set_is_private(scalar $cgi->param('isprivate')); $attachment->set_is_obsolete(scalar $cgi->param('isobsolete'));
$attachment->set_filename(scalar $cgi->param('filename')); $attachment->set_is_private(scalar $cgi->param('isprivate'));
$attachment->set_filename(scalar $cgi->param('filename'));
# Now make sure the attachment has not been edited since we loaded the page.
if (defined $cgi->param('delta_ts') # Now make sure the attachment has not been edited since we loaded the page.
&& $cgi->param('delta_ts') ne $attachment->modification_time) if (defined $cgi->param('delta_ts')
{ && $cgi->param('delta_ts') ne $attachment->modification_time)
($vars->{'operations'}) = {
Bugzilla::Bug::GetBugActivity($bug->id, $attachment->id, $cgi->param('delta_ts')); ($vars->{'operations'}) =
Bugzilla::Bug::GetBugActivity($bug->id, $attachment->id, $cgi->param('delta_ts'));
# The token contains the old modification_time. We need a new one.
$cgi->param('token', issue_hash_token([$attachment->id, $attachment->modification_time])); # The token contains the old modification_time. We need a new one.
$cgi->param('token', issue_hash_token([$attachment->id, $attachment->modification_time]));
# If the modification date changed but there is no entry in
# the activity table, this means someone commented only. # If the modification date changed but there is no entry in
# In this case, there is no reason to midair. # the activity table, this means someone commented only.
if (scalar(@{$vars->{'operations'}})) { # In this case, there is no reason to midair.
$cgi->param('delta_ts', $attachment->modification_time); if (scalar(@{$vars->{'operations'}})) {
$vars->{'attachment'} = $attachment; $cgi->param('delta_ts', $attachment->modification_time);
$vars->{'attachment'} = $attachment;
print $cgi->header();
# Warn the user about the mid-air collision and ask them what to do. print $cgi->header();
$template->process("attachment/midair.html.tmpl", $vars) # Warn the user about the mid-air collision and ask them what to do.
|| ThrowTemplateError($template->error()); $template->process("attachment/midair.html.tmpl", $vars)
exit; || ThrowTemplateError($template->error());
exit;
}
} }
} }
...@@ -622,16 +624,22 @@ sub update { ...@@ -622,16 +624,22 @@ sub update {
$bug->add_comment($comment, { isprivate => $attachment->isprivate }); $bug->add_comment($comment, { isprivate => $attachment->isprivate });
} }
my ($flags, $new_flags) = Bugzilla::Flag->extract_flags_from_cgi($bug, $attachment, $vars); if ($can_edit) {
$attachment->set_flags($flags, $new_flags); my ($flags, $new_flags) =
Bugzilla::Flag->extract_flags_from_cgi($bug, $attachment, $vars);
$attachment->set_flags($flags, $new_flags);
}
# Figure out when the changes were made. # Figure out when the changes were made.
my $timestamp = $dbh->selectrow_array('SELECT LOCALTIMESTAMP(0)'); my $timestamp = $dbh->selectrow_array('SELECT LOCALTIMESTAMP(0)');
my $changes = $attachment->update($timestamp); if ($can_edit) {
# If there are changes, we updated delta_ts in the DB. We have to my $changes = $attachment->update($timestamp);
# reflect this change in the bug object. # If there are changes, we updated delta_ts in the DB. We have to
$bug->{delta_ts} = $timestamp if scalar(keys %$changes); # reflect this change in the bug object.
$bug->{delta_ts} = $timestamp if scalar(keys %$changes);
}
# Commit the comment, if any. # Commit the comment, if any.
$bug->update($timestamp); $bug->update($timestamp);
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment