r527: Base new permission checks

diff --git a/attachment.php b/attachment.php
index 4689b8fdf1cade454ab31c75bd722442d9f7156c..6bf64a225e18fb904f22a8e34da2fd03d22a25f1 100755 (executable)
--- a/attachment.php
+++ b/attachment.php
@@ -45,7 +45,7 @@ $log->bugid = $bug['bugid'];
 
 if ($_POST['do'] == 'insert')
 {
-       if (!can_perform('canputattach'))
+       if (!can_perform('canputattach', null, $bug['productid']))
        {
                $message->error_permission();
        }
@@ -108,7 +108,7 @@ if ($_POST['do'] == 'insert')
        }
        
        // handle comment stuff
-       if (can_perform('canpostcomments') AND trim($bugsys->in['comment']))
+       if (can_perform('canpostcomments', null, $bug['productid']) AND trim($bugsys->in['comment']))
        {
                $bugsys->in['comment_parsed'] = $bugsys->in['comment'];
                
@@ -138,14 +138,14 @@ if ($_POST['do'] == 'insert')
 
 if ($_REQUEST['do'] == 'add')
 {
-       if (!can_perform('canputattach'))
+       if (!can_perform('canputattach', null, $bug['productid']))
        {
                $message->error_permission();
        }
        
        $MAXFILESIZE = $funct->fetch_max_attachment_size();
        
-       $show['addcomment'] = ((can_perform('canpostcomments')) ? true : false);
+       $show['addcomment'] = ((can_perform('canpostcomments', null, $bug['productid'])) ? true : false);
        $show['obsoletes'] = false;
        
        $obsoletes_fetch = $db->query("SELECT * FROM " . TABLE_PREFIX . "attachment WHERE bugid = $bug[bugid] AND !obsolete");
@@ -163,7 +163,7 @@ if ($_REQUEST['do'] == 'add')
 
 if ($_POST['do'] == 'update')
 {
-       if (!(can_perform('caneditattach') OR ($attachment['userid'] == $bugsys->userinfo['userid'] AND can_perform('canputattach'))))
+       if (!(can_perform('caneditattach', null, $bug['productid']) OR ($attachment['userid'] == $bugsys->userinfo['userid'] AND can_perform('canputattach', null, $bug['productid']))))
        {
                $message->error_permission();
        }
@@ -191,12 +191,12 @@ if ($_POST['do'] == 'update')
 
 if ($_REQUEST['do'] == 'edit')
 {
-       if (!(can_perform('caneditattach') OR ($attachment['userid'] == $bugsys->userinfo['userid'] AND can_perform('canputattach'))))
+       if (!(can_perform('caneditattach', null, $bug['productid']) OR ($attachment['userid'] == $bugsys->userinfo['userid'] AND can_perform('canputattach', null, $bug['productid']))))
        {
                $message->error_permission();
        }
        
-       $show['delete'] = ((can_perform('caneditattach')) ? true : false);
+       $show['delete'] = ((can_perform('caneditattach', null, $bug['productid'])) ? true : false);
        
        eval('$template->flush("' . $template->fetch('editattach') . '");');
 }

diff --git a/editcomment.php b/editcomment.php
index 85a09205d45162834bae5831bece248fa4ee618f..95395c6661fd1d6689a5205a3344615001bd39f1 100644 (file)
--- a/editcomment.php
+++ b/editcomment.php
@@ -35,12 +35,12 @@ if (!$comment)
 
 $bug = $db->query_first("SELECT * FROM " . TABLE_PREFIX . "bug WHERE bugid = $comment[bugid]");
 
-if (!((can_perform('caneditown') AND $bugsys->userinfo['userid'] == $comment['userid']) OR can_perform('caneditothers')))
+if (!((can_perform('caneditown', null, $bug['productid']) AND $bugsys->userinfo['userid'] == $comment['userid']) OR can_perform('caneditothers', null, $bug['productid'])))
 {
        $message->error_permission();
 }
 
-if ($bug['hidden'] AND !can_perform('canviewhidden'))
+if ($bug['hidden'] AND !can_perform('canviewhidden', null, $bug['productid']))
 {
        $message->error_permissison();
 }

diff --git a/editreport.php b/editreport.php
index a88775ca56813edea78db6dccdf2c944e9aaf129..126003203fb754c7df8c998ba560921007e50246 100644 (file)
--- a/editreport.php
+++ b/editreport.php
@@ -26,7 +26,7 @@ $bug = $db->query_first("
        WHERE bug.bugid = " . intval($bugsys->in['bugid'])
 );
 
-if (!(((can_perform('caneditown') AND $bugsys->userinfo['userid'] == $comment['userid']) OR can_perform('caneditothers')) AND can_perform('caneditinfo')) AND !can_perform('canpostcomments'))
+if (!(((can_perform('caneditown', null, $bug['productid']) AND $bugsys->userinfo['userid'] == $comment['userid']) OR can_perform('caneditothers', null, $bug['productid'])) AND can_perform('caneditinfo', null, $bug['productid'])) AND !can_perform('canpostcomments', null, $bug['productid']))
 {
        $message->error_permission();
 }
@@ -36,7 +36,7 @@ if (!$bug)
        $message->error($lang->getlex('error_invalid_id'));
 }
 
-if ($bug['hidden'] AND !can_perform('canviewhidden'))
+if ($bug['hidden'] AND !can_perform('canviewhidden', null, $bug['productid']))
 {
        $message->error_permission();
 }
@@ -52,7 +52,7 @@ if ($_POST['do'] == 'update')
 {
        // -------------------------------------------------------------------
        // process comment stuff
-       if (!(((can_perform('caneditown') AND $bugsys->userinfo['userid'] == $comment['userid']) OR can_perform('caneditothers')) AND can_perform('caneditinfo')))
+       if (!(((can_perform('caneditown', null, $bug['productid']) AND $bugsys->userinfo['userid'] == $comment['userid']) OR can_perform('caneditothers', null, $bug['productid'])) AND can_perform('caneditinfo', null, $bug['productid'])))
        {
                $hascomment = (!empty($bugsys->in['comment'])) ? true : false;
                
@@ -105,7 +105,7 @@ if ($_POST['do'] == 'update')
                }
        }
        
-       if (!(((can_perform('caneditown') AND $bugsys->userinfo['userid'] == $comment['userid']) OR can_perform('caneditothers')) AND can_perform('caneditinfo')))
+       if (!(((can_perform('caneditown', null, $bug['productid']) AND $bugsys->userinfo['userid'] == $comment['userid']) OR can_perform('caneditothers', null, $bug['productid'])) AND can_perform('caneditinfo', null, $bug['productid'])))
        {
                $message->redirect($lang->string('Your reply has been added to the comment list.'), "showreport.php?bugid=$bug[bugid]");
        }
@@ -155,12 +155,12 @@ if ($_POST['do'] == 'update')
                UPDATE " . TABLE_PREFIX . "bug
                SET summary = '" . $bugsys->in['summary'] . "',
                        severity = " . intval($bugsys->in['severity']) . "," .
-                               (can_perform('canchangestatus') ? "
+                               (can_perform('canchangestatus', null, $bug['productid']) ? "
                                        priority = " . intval($bugsys->in['priority']) . ",
                                        status = " . intval($bugsys->in['status']) . ",
                                        resolution = " . intval($bugsys->in['resolution']) . ","
                                : '') . "
-                       " . (can_perform('canassign') ? "assignedto = " . intval($bugsys->in['assignedto']) . "," : '') . "
+                       " . (can_perform('canassign', null, $bug['productid']) ? "assignedto = " . intval($bugsys->in['assignedto']) . "," : '') . "
                        duplicateof = " . intval($bugsys->in['duplicateof']) . ",
                        dependency = '$dependencies',
                        productid = " . $pcv['product'] . ",

diff --git a/favourite.php b/favourite.php
index 3fc008e5cd22060c3c00ce4af451d0e730176cb5..256e43c2b9c70e6b80f00ca93886102723f026fa 100644 (file)
--- a/favourite.php
+++ b/favourite.php
@@ -32,8 +32,8 @@ if (empty($_REQUEST['do']))
 
 if ($_REQUEST['do'] == 'handle')
 {
-       $bug = $db->query_first("SELECT * FROM " . TABLE_PREFIX . "bug WHERE bugid = " . intval($bugsys->in['bugid']) . ((!can_perform('canviewhidden')) ? " AND !bug.hidden" : ''));
-       if (!$bug)
+       $bug = $db->query_first("SELECT * FROM " . TABLE_PREFIX . "bug WHERE bugid = " . intval($bugsys->in['bugid']));
+       if (!$bug OR (!can_perform('canviewhidden', null, $bug['productid']) AND $bug['hidden']))
        {
                $message->error($lang->getlex('error_invalid_id'));
        }

diff --git a/index.php b/index.php
index c53e49ce521a82454066432575befa1b4ea1e971..5795d599ab225ce03858941fb834146c6683cd17 100644 (file)
--- a/index.php
+++ b/index.php
@@ -59,7 +59,7 @@ while ($bug = $db->fetch_array($bugs_fetch))
        $bug['status'] = $bugsys->datastore['status']["$bug[status]"]['status'];
        $bug['resolution'] = $bugsys->datastore['resolution']["$bug[resolution]"]['resolution'];
        
-       $bug['hiddendisplay'] = ((!can_perform('canviewhidden') AND $bug['hiddenlastposttime']) ? true : false);
+       $bug['hiddendisplay'] = ((!can_perform('canviewhidden', null, $bug['productid']) AND $bug['hiddenlastposttime']) ? true : false);
        
        $bug['lastposttime'] = (($bug['hiddendisplay']) ? $bug['hiddenlastposttime'] : $bug['lastposttime']);
        $bug['lastpost'] = (($bug['hiddendisplay']) ? $bug['hiddenlastpost'] : $bug['lastpost']);

diff --git a/newcomment.php b/newcomment.php
index 5d10918c1e16f4b40435ccbcda113b787e85f3da..39ecd7b3a964654e752554c59446eb197216210f 100644 (file)
--- a/newcomment.php
+++ b/newcomment.php
@@ -14,7 +14,13 @@ define('SVN', '$Id$');
 
 require_once('./global.php');
 
-if (!can_perform('canpostcomments'))
+$bug = $db->query_first("SELECT * FROM " . TABLE_PREFIX . "bug WHERE bugid = " . intval($bugsys->in['bugid']));
+if (!$bug)
+{
+       $message->error($lang->getlex('error_invalid_id'));
+}
+
+if (!can_perform('canpostcomments', null, $bug['productid'])))
 {
        $message->error_permission();
 }

diff --git a/newreport.php b/newreport.php
index b344b1e03b431cec85f1eaa161752081e9b3d658..d305aa0e59ff78e543af3b4babe602bab8ffe37b 100755 (executable)
--- a/newreport.php
+++ b/newreport.php
@@ -21,7 +21,7 @@ $focus['newreport'] = 'focus';
 require_once('./global.php');
 require_once('./includes/functions_product.php');
 
-if (!can_perform('cansubmitbugs'))
+if (!can_perform('cansubmitbugs', null, intval($bugsys->in['productid'])))
 {
        $message->error_permission();
 }
@@ -39,7 +39,7 @@ if ($_POST['do'] == 'insert')
 {
        // -------------------------------------------------------------------
        // check permissions on various input values
-       if (!can_perform('canchangestatus'))
+       if (!can_perform('canchangestatus', null, intval($bugsys->in['productid'])))
        {
                $bugsys->in['priority'] = $bugsys->options['defaultpriority'];
                $bugsys->in['status'] = $bugsys->options['defaultstatus'];
@@ -60,7 +60,7 @@ if ($_POST['do'] == 'insert')
                        $bugsys->in['resolution'] = $bugsys->options['defaultresolve'];
                }
        }
-       if (!can_perform('canassign'))
+       if (!can_perform('canassign', null, intval($bugsys->in['productid'])))
        {
                $bugsys->in['assignedto'] = $bugsys->options['defaultassign'];
        }

diff --git a/showhistory.php b/showhistory.php
index 495249b3b02e3bf80b90d4591b37b26bd9271f18..7066d66a5814cf7d5d2bad3c9cc1c61753c8ae65 100644 (file)
--- a/showhistory.php
+++ b/showhistory.php
@@ -28,7 +28,7 @@ if (!$bug)
        $message->error($lang->getlex('error_invalid_id'));
 }
 
-if ($bug['hidden'] AND !can_perform('canviewhidden'))
+if ($bug['hidden'] AND !can_perform('canviewhidden', null, $bug['productid']))
 {
        $message->error_permission();
 }

diff --git a/showreport.php b/showreport.php
index 5629b8f45ab1de2fa89bde6c8fa5b0932f1dff56..9439125bae98b0ec7bdbba71a84a1cdc2fdbb1f7 100644 (file)
--- a/showreport.php
+++ b/showreport.php
@@ -74,7 +74,7 @@ if (!is_array($bug))
        $message->error($lang->getlex('error_invalid_id'));
 }
 
-if ($bug['hidden'] AND !can_perform('canviewhidden'))
+if ($bug['hidden'] AND !can_perform('canviewhidden', null, $bug['productid']))
 {
        $message->error_permission();
 }
@@ -97,16 +97,16 @@ if ($show['edit'])
 {
        $select['severity'] = construct_datastore_select('severity', 'severity', 'severityid', $bug['severity']);
        
-       $show['changestatus'] = ((can_perform('canchangestatus')) ? true : false);
-       if (can_perform('canchangestatus'))
+       $show['changestatus'] = ((can_perform('canchangestatus', null, $bug['productid'])) ? true : false);
+       if (can_perform('canchangestatus', null, $bug['productid']))
        {
                $select['priority'] = construct_datastore_select('priority', 'priority', 'priorityid', $bug['priority']);
                $select['status'] = construct_datastore_select('status', 'status', 'statusid', $bug['status']);
                $select['resolution'] = construct_datastore_select('resolution', 'resolution', 'resolutionid', $bug['resolution']);             
        }
        
-       $show['assign'] = ((can_perform('canassign')) ? true : false);
-       if (can_perform('canassign'))
+       $show['assign'] = ((can_perform('canassign', null, $bug['productid'])) ? true : false);
+       if (can_perform('canassign', null, $bug['productid']))
        {
                foreach ($bugsys->datastore['assignto'] AS $dev)
                {
@@ -230,8 +230,8 @@ foreach ($words AS $word)
 
 // -------------------------------------------------------------------
 // attachments
-$show['getattachments'] = ((can_perform('cangetattach') OR can_perform('caneditattach')) ? true : false);
-$show['putattachments'] = ((can_perform('canputattach') OR can_perform('caneditattach')) ? true : false);
+$show['getattachments'] = ((can_perform('cangetattach', null, $bug['productid']) OR can_perform('caneditattach', null, $bug['productid'])) ? true : false);
+$show['putattachments'] = ((can_perform('canputattach', null, $bug['productid']) OR can_perform('caneditattach', null, $bug['productid'])) ? true : false);
 $show['attachments'] = ($show['getattachments'] OR $show['putattachments']) ? true : false;
 
 if ($show['getattachments'] OR $show['putattachments'])
@@ -250,7 +250,7 @@ if ($show['getattachments'] OR $show['putattachments'])
        while ($attachment = $db->fetch_array($attachments_fetch))
        {
                $attaches = true;
-               $show['editattach'] = ((can_perform('caneditattach') OR ($attachment['userid'] == $bugsys->userinfo['userid'] AND can_perform('canputattach'))) ? true : false);
+               $show['editattach'] = ((can_perform('caneditattach', null, $bug['productid']) OR ($attachment['userid'] == $bugsys->userinfo['userid'] AND can_perform('canputattach', null, $bug['productid']))) ? true : false);
                $attachment['date'] = $datef->format($bugsys->options['dateformat'], $attachment['dateline']);
                $attachment['user'] = construct_user_display($attachment, false);
                eval('$attachments .= "' . $template->fetch('showreport_attachment') . '";');
@@ -268,7 +268,7 @@ $vote['total'] = $vote['votefor'] + $vote['voteagainst'];
 $vote['forpercent'] = round($vote['votefor'] / $vote['total'], 3) * 100;
 $vote['againstpercent'] = round($vote['voteagainst'] / $vote['total'], 3) * 100;
 
-$show['vote'] = ((can_perform('canvote') AND !$vote['uservote']) ? true : false);
+$show['vote'] = ((can_perform('canvote', null, $bug['productid']) AND !$vote['uservote']) ? true : false);
 
 // -------------------------------------------------------------------
 // get comments
@@ -277,7 +277,7 @@ $comments_fetch = $db->query("
        FROM " . TABLE_PREFIX . "comment AS comment
        LEFT JOIN " . TABLE_PREFIX . "user AS user
                ON (comment.userid = user.userid)
-       WHERE comment.bugid = $bug[bugid]" . ((!can_perform('canviewhidden')) ? "
+       WHERE comment.bugid = $bug[bugid]" . ((!can_perform('canviewhidden', null, $bug['productid'])) ? "
                AND !hidden" : '') . "
        ORDER BY comment.dateline ASC"
 );
@@ -285,7 +285,7 @@ while ($comment = $db->fetch_array($comments_fetch))
 {
        $comment['posttime'] = $datef->format($bugsys->options['dateformat'], $comment['dateline']);
        $comment['postby'] = construct_user_display($comment);
-       $show['editcomment'] = (((can_perform('caneditown') AND $bugsys->userinfo['userid'] == $comment['userid']) OR can_perform('caneditothers')) ? true : false);
+       $show['editcomment'] = (((can_perform('caneditown', null, $bug['productid']) AND $bugsys->userinfo['userid'] == $comment['userid']) OR can_perform('caneditothers', null, $bug['productid'])) ? true : false);
        
        if (is_array($hilight))
        {
@@ -300,7 +300,7 @@ while ($comment = $db->fetch_array($comments_fetch))
        eval('$comments .= "' . $template->fetch('showreport_comment') . '";');
 }
 
-$show['newreply'] = ((can_perform('canpostcomments')) ? true : false);
+$show['newreply'] = ((can_perform('canpostcomments', null, $bug['productid'])) ? true : false);
 
 if (is_array($hilight))
 {

diff --git a/viewattachment.php b/viewattachment.php
index f4e9b571e28129d85787a22a8b0e51120cba03e1..c6bdc5a8d4fa05bb6f41003bdb1729d456dd1c08 100755 (executable)
--- a/viewattachment.php
+++ b/viewattachment.php
@@ -24,6 +24,8 @@ if (!$attachment)
        $message->error($lang->getlex('error_invalid_id'));
 }
 
+// #*# permission checks per-bug and hidden bugs
+
 if (!can_perform('cangetattach') AND !can_perform('caneditattach'))
 {
        $message->error_permission();

diff --git a/vote.php b/vote.php
index 204e3e612e5ee6906dc92584b73d256c67f78597..9ce89ddf94d38d562425f4a1925a111f63404942 100644 (file)
--- a/vote.php
+++ b/vote.php
@@ -16,11 +16,6 @@ $focus['showreport'] = 'focus';
 
 require_once('./global.php');
 
-if (!can_perform('canvote'))
-{
-       $message->error_permission();
-}
-
 // ###################################################################
 
 if (empty($_REQUEST['do']))
@@ -35,6 +30,11 @@ if ($_REQUEST['do'] == 'vote')
        $bug = $db->query_first("SELECT * FROM " . TABLE_PREFIX . "bug WHERE bugid = " . intval($bugsys->in['bugid']) . ((!can_perform('canviewhidden')) ? " AND !bug.hidden" : ''));
        $vote =  $db->query_first("SELECT *, FIND_IN_SET(" . $bugsys->userinfo['userid'] . ", userids) AS uservote FROM " . TABLE_PREFIX . "vote WHERE bugid = $bug[bugid]");
        
+       if (!can_perform('canvote', null, $bug['productid']))
+       {
+               $message->error_permission();
+       }
+       
        if (!$bug)
        {
                $message->error($lang->getlex('error_invalid_id'));