if ($_POST['do'] == 'insert')
{
- if (!can_perform('canputattach'))
+ if (!can_perform('canputattach', null, $bug['productid']))
{
$message->error_permission();
}
}
// handle comment stuff
- if (can_perform('canpostcomments') AND trim($bugsys->in['comment']))
+ if (can_perform('canpostcomments', null, $bug['productid']) AND trim($bugsys->in['comment']))
{
$bugsys->in['comment_parsed'] = $bugsys->in['comment'];
if ($_REQUEST['do'] == 'add')
{
- if (!can_perform('canputattach'))
+ if (!can_perform('canputattach', null, $bug['productid']))
{
$message->error_permission();
}
$MAXFILESIZE = $funct->fetch_max_attachment_size();
- $show['addcomment'] = ((can_perform('canpostcomments')) ? true : false);
+ $show['addcomment'] = ((can_perform('canpostcomments', null, $bug['productid'])) ? true : false);
$show['obsoletes'] = false;
$obsoletes_fetch = $db->query("SELECT * FROM " . TABLE_PREFIX . "attachment WHERE bugid = $bug[bugid] AND !obsolete");
if ($_POST['do'] == 'update')
{
- if (!(can_perform('caneditattach') OR ($attachment['userid'] == $bugsys->userinfo['userid'] AND can_perform('canputattach'))))
+ if (!(can_perform('caneditattach', null, $bug['productid']) OR ($attachment['userid'] == $bugsys->userinfo['userid'] AND can_perform('canputattach', null, $bug['productid']))))
{
$message->error_permission();
}
if ($_REQUEST['do'] == 'edit')
{
- if (!(can_perform('caneditattach') OR ($attachment['userid'] == $bugsys->userinfo['userid'] AND can_perform('canputattach'))))
+ if (!(can_perform('caneditattach', null, $bug['productid']) OR ($attachment['userid'] == $bugsys->userinfo['userid'] AND can_perform('canputattach', null, $bug['productid']))))
{
$message->error_permission();
}
- $show['delete'] = ((can_perform('caneditattach')) ? true : false);
+ $show['delete'] = ((can_perform('caneditattach', null, $bug['productid'])) ? true : false);
eval('$template->flush("' . $template->fetch('editattach') . '");');
}
$bug = $db->query_first("SELECT * FROM " . TABLE_PREFIX . "bug WHERE bugid = $comment[bugid]");
-if (!((can_perform('caneditown') AND $bugsys->userinfo['userid'] == $comment['userid']) OR can_perform('caneditothers')))
+if (!((can_perform('caneditown', null, $bug['productid']) AND $bugsys->userinfo['userid'] == $comment['userid']) OR can_perform('caneditothers', null, $bug['productid'])))
{
$message->error_permission();
}
-if ($bug['hidden'] AND !can_perform('canviewhidden'))
+if ($bug['hidden'] AND !can_perform('canviewhidden', null, $bug['productid']))
{
$message->error_permissison();
}
WHERE bug.bugid = " . intval($bugsys->in['bugid'])
);
-if (!(((can_perform('caneditown') AND $bugsys->userinfo['userid'] == $comment['userid']) OR can_perform('caneditothers')) AND can_perform('caneditinfo')) AND !can_perform('canpostcomments'))
+if (!(((can_perform('caneditown', null, $bug['productid']) AND $bugsys->userinfo['userid'] == $comment['userid']) OR can_perform('caneditothers', null, $bug['productid'])) AND can_perform('caneditinfo', null, $bug['productid'])) AND !can_perform('canpostcomments', null, $bug['productid']))
{
$message->error_permission();
}
$message->error($lang->getlex('error_invalid_id'));
}
-if ($bug['hidden'] AND !can_perform('canviewhidden'))
+if ($bug['hidden'] AND !can_perform('canviewhidden', null, $bug['productid']))
{
$message->error_permission();
}
{
// -------------------------------------------------------------------
// process comment stuff
- if (!(((can_perform('caneditown') AND $bugsys->userinfo['userid'] == $comment['userid']) OR can_perform('caneditothers')) AND can_perform('caneditinfo')))
+ if (!(((can_perform('caneditown', null, $bug['productid']) AND $bugsys->userinfo['userid'] == $comment['userid']) OR can_perform('caneditothers', null, $bug['productid'])) AND can_perform('caneditinfo', null, $bug['productid'])))
{
$hascomment = (!empty($bugsys->in['comment'])) ? true : false;
}
}
- if (!(((can_perform('caneditown') AND $bugsys->userinfo['userid'] == $comment['userid']) OR can_perform('caneditothers')) AND can_perform('caneditinfo')))
+ if (!(((can_perform('caneditown', null, $bug['productid']) AND $bugsys->userinfo['userid'] == $comment['userid']) OR can_perform('caneditothers', null, $bug['productid'])) AND can_perform('caneditinfo', null, $bug['productid'])))
{
$message->redirect($lang->string('Your reply has been added to the comment list.'), "showreport.php?bugid=$bug[bugid]");
}
UPDATE " . TABLE_PREFIX . "bug
SET summary = '" . $bugsys->in['summary'] . "',
severity = " . intval($bugsys->in['severity']) . "," .
- (can_perform('canchangestatus') ? "
+ (can_perform('canchangestatus', null, $bug['productid']) ? "
priority = " . intval($bugsys->in['priority']) . ",
status = " . intval($bugsys->in['status']) . ",
resolution = " . intval($bugsys->in['resolution']) . ","
: '') . "
- " . (can_perform('canassign') ? "assignedto = " . intval($bugsys->in['assignedto']) . "," : '') . "
+ " . (can_perform('canassign', null, $bug['productid']) ? "assignedto = " . intval($bugsys->in['assignedto']) . "," : '') . "
duplicateof = " . intval($bugsys->in['duplicateof']) . ",
dependency = '$dependencies',
productid = " . $pcv['product'] . ",
if ($_REQUEST['do'] == 'handle')
{
- $bug = $db->query_first("SELECT * FROM " . TABLE_PREFIX . "bug WHERE bugid = " . intval($bugsys->in['bugid']) . ((!can_perform('canviewhidden')) ? " AND !bug.hidden" : ''));
- if (!$bug)
+ $bug = $db->query_first("SELECT * FROM " . TABLE_PREFIX . "bug WHERE bugid = " . intval($bugsys->in['bugid']));
+ if (!$bug OR (!can_perform('canviewhidden', null, $bug['productid']) AND $bug['hidden']))
{
$message->error($lang->getlex('error_invalid_id'));
}
$bug['status'] = $bugsys->datastore['status']["$bug[status]"]['status'];
$bug['resolution'] = $bugsys->datastore['resolution']["$bug[resolution]"]['resolution'];
- $bug['hiddendisplay'] = ((!can_perform('canviewhidden') AND $bug['hiddenlastposttime']) ? true : false);
+ $bug['hiddendisplay'] = ((!can_perform('canviewhidden', null, $bug['productid']) AND $bug['hiddenlastposttime']) ? true : false);
$bug['lastposttime'] = (($bug['hiddendisplay']) ? $bug['hiddenlastposttime'] : $bug['lastposttime']);
$bug['lastpost'] = (($bug['hiddendisplay']) ? $bug['hiddenlastpost'] : $bug['lastpost']);
require_once('./global.php');
-if (!can_perform('canpostcomments'))
+$bug = $db->query_first("SELECT * FROM " . TABLE_PREFIX . "bug WHERE bugid = " . intval($bugsys->in['bugid']));
+if (!$bug)
+{
+ $message->error($lang->getlex('error_invalid_id'));
+}
+
+if (!can_perform('canpostcomments', null, $bug['productid'])))
{
$message->error_permission();
}
require_once('./global.php');
require_once('./includes/functions_product.php');
-if (!can_perform('cansubmitbugs'))
+if (!can_perform('cansubmitbugs', null, intval($bugsys->in['productid'])))
{
$message->error_permission();
}
{
// -------------------------------------------------------------------
// check permissions on various input values
- if (!can_perform('canchangestatus'))
+ if (!can_perform('canchangestatus', null, intval($bugsys->in['productid'])))
{
$bugsys->in['priority'] = $bugsys->options['defaultpriority'];
$bugsys->in['status'] = $bugsys->options['defaultstatus'];
$bugsys->in['resolution'] = $bugsys->options['defaultresolve'];
}
}
- if (!can_perform('canassign'))
+ if (!can_perform('canassign', null, intval($bugsys->in['productid'])))
{
$bugsys->in['assignedto'] = $bugsys->options['defaultassign'];
}
$message->error($lang->getlex('error_invalid_id'));
}
-if ($bug['hidden'] AND !can_perform('canviewhidden'))
+if ($bug['hidden'] AND !can_perform('canviewhidden', null, $bug['productid']))
{
$message->error_permission();
}
$message->error($lang->getlex('error_invalid_id'));
}
-if ($bug['hidden'] AND !can_perform('canviewhidden'))
+if ($bug['hidden'] AND !can_perform('canviewhidden', null, $bug['productid']))
{
$message->error_permission();
}
{
$select['severity'] = construct_datastore_select('severity', 'severity', 'severityid', $bug['severity']);
- $show['changestatus'] = ((can_perform('canchangestatus')) ? true : false);
- if (can_perform('canchangestatus'))
+ $show['changestatus'] = ((can_perform('canchangestatus', null, $bug['productid'])) ? true : false);
+ if (can_perform('canchangestatus', null, $bug['productid']))
{
$select['priority'] = construct_datastore_select('priority', 'priority', 'priorityid', $bug['priority']);
$select['status'] = construct_datastore_select('status', 'status', 'statusid', $bug['status']);
$select['resolution'] = construct_datastore_select('resolution', 'resolution', 'resolutionid', $bug['resolution']);
}
- $show['assign'] = ((can_perform('canassign')) ? true : false);
- if (can_perform('canassign'))
+ $show['assign'] = ((can_perform('canassign', null, $bug['productid'])) ? true : false);
+ if (can_perform('canassign', null, $bug['productid']))
{
foreach ($bugsys->datastore['assignto'] AS $dev)
{
// -------------------------------------------------------------------
// attachments
-$show['getattachments'] = ((can_perform('cangetattach') OR can_perform('caneditattach')) ? true : false);
-$show['putattachments'] = ((can_perform('canputattach') OR can_perform('caneditattach')) ? true : false);
+$show['getattachments'] = ((can_perform('cangetattach', null, $bug['productid']) OR can_perform('caneditattach', null, $bug['productid'])) ? true : false);
+$show['putattachments'] = ((can_perform('canputattach', null, $bug['productid']) OR can_perform('caneditattach', null, $bug['productid'])) ? true : false);
$show['attachments'] = ($show['getattachments'] OR $show['putattachments']) ? true : false;
if ($show['getattachments'] OR $show['putattachments'])
while ($attachment = $db->fetch_array($attachments_fetch))
{
$attaches = true;
- $show['editattach'] = ((can_perform('caneditattach') OR ($attachment['userid'] == $bugsys->userinfo['userid'] AND can_perform('canputattach'))) ? true : false);
+ $show['editattach'] = ((can_perform('caneditattach', null, $bug['productid']) OR ($attachment['userid'] == $bugsys->userinfo['userid'] AND can_perform('canputattach', null, $bug['productid']))) ? true : false);
$attachment['date'] = $datef->format($bugsys->options['dateformat'], $attachment['dateline']);
$attachment['user'] = construct_user_display($attachment, false);
eval('$attachments .= "' . $template->fetch('showreport_attachment') . '";');
$vote['forpercent'] = round($vote['votefor'] / $vote['total'], 3) * 100;
$vote['againstpercent'] = round($vote['voteagainst'] / $vote['total'], 3) * 100;
-$show['vote'] = ((can_perform('canvote') AND !$vote['uservote']) ? true : false);
+$show['vote'] = ((can_perform('canvote', null, $bug['productid']) AND !$vote['uservote']) ? true : false);
// -------------------------------------------------------------------
// get comments
FROM " . TABLE_PREFIX . "comment AS comment
LEFT JOIN " . TABLE_PREFIX . "user AS user
ON (comment.userid = user.userid)
- WHERE comment.bugid = $bug[bugid]" . ((!can_perform('canviewhidden')) ? "
+ WHERE comment.bugid = $bug[bugid]" . ((!can_perform('canviewhidden', null, $bug['productid'])) ? "
AND !hidden" : '') . "
ORDER BY comment.dateline ASC"
);
{
$comment['posttime'] = $datef->format($bugsys->options['dateformat'], $comment['dateline']);
$comment['postby'] = construct_user_display($comment);
- $show['editcomment'] = (((can_perform('caneditown') AND $bugsys->userinfo['userid'] == $comment['userid']) OR can_perform('caneditothers')) ? true : false);
+ $show['editcomment'] = (((can_perform('caneditown', null, $bug['productid']) AND $bugsys->userinfo['userid'] == $comment['userid']) OR can_perform('caneditothers', null, $bug['productid'])) ? true : false);
if (is_array($hilight))
{
eval('$comments .= "' . $template->fetch('showreport_comment') . '";');
}
-$show['newreply'] = ((can_perform('canpostcomments')) ? true : false);
+$show['newreply'] = ((can_perform('canpostcomments', null, $bug['productid'])) ? true : false);
if (is_array($hilight))
{
$message->error($lang->getlex('error_invalid_id'));
}
+// #*# permission checks per-bug and hidden bugs
+
if (!can_perform('cangetattach') AND !can_perform('caneditattach'))
{
$message->error_permission();
require_once('./global.php');
-if (!can_perform('canvote'))
-{
- $message->error_permission();
-}
-
// ###################################################################
if (empty($_REQUEST['do']))
$bug = $db->query_first("SELECT * FROM " . TABLE_PREFIX . "bug WHERE bugid = " . intval($bugsys->in['bugid']) . ((!can_perform('canviewhidden')) ? " AND !bug.hidden" : ''));
$vote = $db->query_first("SELECT *, FIND_IN_SET(" . $bugsys->userinfo['userid'] . ", userids) AS uservote FROM " . TABLE_PREFIX . "vote WHERE bugid = $bug[bugid]");
+ if (!can_perform('canvote', null, $bug['productid']))
+ {
+ $message->error_permission();
+ }
+
if (!$bug)
{
$message->error($lang->getlex('error_invalid_id'));