From a4a1b3e882fece1063902798b6214d3fc496986c Mon Sep 17 00:00:00 2001 From: Robert Sesek Date: Mon, 10 Oct 2005 19:18:51 +0000 Subject: [PATCH] r527: Base new permission checks --- attachment.php | 14 +++++++------- editcomment.php | 4 ++-- editreport.php | 12 ++++++------ favourite.php | 4 ++-- index.php | 2 +- newcomment.php | 8 +++++++- newreport.php | 6 +++--- showhistory.php | 2 +- showreport.php | 24 ++++++++++++------------ viewattachment.php | 2 ++ vote.php | 10 +++++----- 11 files changed, 48 insertions(+), 40 deletions(-) diff --git a/attachment.php b/attachment.php index 4689b8f..6bf64a2 100755 --- a/attachment.php +++ b/attachment.php @@ -45,7 +45,7 @@ $log->bugid = $bug['bugid']; if ($_POST['do'] == 'insert') { - if (!can_perform('canputattach')) + if (!can_perform('canputattach', null, $bug['productid'])) { $message->error_permission(); } @@ -108,7 +108,7 @@ if ($_POST['do'] == 'insert') } // handle comment stuff - if (can_perform('canpostcomments') AND trim($bugsys->in['comment'])) + if (can_perform('canpostcomments', null, $bug['productid']) AND trim($bugsys->in['comment'])) { $bugsys->in['comment_parsed'] = $bugsys->in['comment']; @@ -138,14 +138,14 @@ if ($_POST['do'] == 'insert') if ($_REQUEST['do'] == 'add') { - if (!can_perform('canputattach')) + if (!can_perform('canputattach', null, $bug['productid'])) { $message->error_permission(); } $MAXFILESIZE = $funct->fetch_max_attachment_size(); - $show['addcomment'] = ((can_perform('canpostcomments')) ? true : false); + $show['addcomment'] = ((can_perform('canpostcomments', null, $bug['productid'])) ? true : false); $show['obsoletes'] = false; $obsoletes_fetch = $db->query("SELECT * FROM " . TABLE_PREFIX . "attachment WHERE bugid = $bug[bugid] AND !obsolete"); @@ -163,7 +163,7 @@ if ($_REQUEST['do'] == 'add') if ($_POST['do'] == 'update') { - if (!(can_perform('caneditattach') OR ($attachment['userid'] == $bugsys->userinfo['userid'] AND can_perform('canputattach')))) + if (!(can_perform('caneditattach', null, $bug['productid']) OR ($attachment['userid'] == $bugsys->userinfo['userid'] AND can_perform('canputattach', null, $bug['productid'])))) { $message->error_permission(); } @@ -191,12 +191,12 @@ if ($_POST['do'] == 'update') if ($_REQUEST['do'] == 'edit') { - if (!(can_perform('caneditattach') OR ($attachment['userid'] == $bugsys->userinfo['userid'] AND can_perform('canputattach')))) + if (!(can_perform('caneditattach', null, $bug['productid']) OR ($attachment['userid'] == $bugsys->userinfo['userid'] AND can_perform('canputattach', null, $bug['productid'])))) { $message->error_permission(); } - $show['delete'] = ((can_perform('caneditattach')) ? true : false); + $show['delete'] = ((can_perform('caneditattach', null, $bug['productid'])) ? true : false); eval('$template->flush("' . $template->fetch('editattach') . '");'); } diff --git a/editcomment.php b/editcomment.php index 85a0920..95395c6 100644 --- a/editcomment.php +++ b/editcomment.php @@ -35,12 +35,12 @@ if (!$comment) $bug = $db->query_first("SELECT * FROM " . TABLE_PREFIX . "bug WHERE bugid = $comment[bugid]"); -if (!((can_perform('caneditown') AND $bugsys->userinfo['userid'] == $comment['userid']) OR can_perform('caneditothers'))) +if (!((can_perform('caneditown', null, $bug['productid']) AND $bugsys->userinfo['userid'] == $comment['userid']) OR can_perform('caneditothers', null, $bug['productid']))) { $message->error_permission(); } -if ($bug['hidden'] AND !can_perform('canviewhidden')) +if ($bug['hidden'] AND !can_perform('canviewhidden', null, $bug['productid'])) { $message->error_permissison(); } diff --git a/editreport.php b/editreport.php index a88775c..1260032 100644 --- a/editreport.php +++ b/editreport.php @@ -26,7 +26,7 @@ $bug = $db->query_first(" WHERE bug.bugid = " . intval($bugsys->in['bugid']) ); -if (!(((can_perform('caneditown') AND $bugsys->userinfo['userid'] == $comment['userid']) OR can_perform('caneditothers')) AND can_perform('caneditinfo')) AND !can_perform('canpostcomments')) +if (!(((can_perform('caneditown', null, $bug['productid']) AND $bugsys->userinfo['userid'] == $comment['userid']) OR can_perform('caneditothers', null, $bug['productid'])) AND can_perform('caneditinfo', null, $bug['productid'])) AND !can_perform('canpostcomments', null, $bug['productid'])) { $message->error_permission(); } @@ -36,7 +36,7 @@ if (!$bug) $message->error($lang->getlex('error_invalid_id')); } -if ($bug['hidden'] AND !can_perform('canviewhidden')) +if ($bug['hidden'] AND !can_perform('canviewhidden', null, $bug['productid'])) { $message->error_permission(); } @@ -52,7 +52,7 @@ if ($_POST['do'] == 'update') { // ------------------------------------------------------------------- // process comment stuff - if (!(((can_perform('caneditown') AND $bugsys->userinfo['userid'] == $comment['userid']) OR can_perform('caneditothers')) AND can_perform('caneditinfo'))) + if (!(((can_perform('caneditown', null, $bug['productid']) AND $bugsys->userinfo['userid'] == $comment['userid']) OR can_perform('caneditothers', null, $bug['productid'])) AND can_perform('caneditinfo', null, $bug['productid']))) { $hascomment = (!empty($bugsys->in['comment'])) ? true : false; @@ -105,7 +105,7 @@ if ($_POST['do'] == 'update') } } - if (!(((can_perform('caneditown') AND $bugsys->userinfo['userid'] == $comment['userid']) OR can_perform('caneditothers')) AND can_perform('caneditinfo'))) + if (!(((can_perform('caneditown', null, $bug['productid']) AND $bugsys->userinfo['userid'] == $comment['userid']) OR can_perform('caneditothers', null, $bug['productid'])) AND can_perform('caneditinfo', null, $bug['productid']))) { $message->redirect($lang->string('Your reply has been added to the comment list.'), "showreport.php?bugid=$bug[bugid]"); } @@ -155,12 +155,12 @@ if ($_POST['do'] == 'update') UPDATE " . TABLE_PREFIX . "bug SET summary = '" . $bugsys->in['summary'] . "', severity = " . intval($bugsys->in['severity']) . "," . - (can_perform('canchangestatus') ? " + (can_perform('canchangestatus', null, $bug['productid']) ? " priority = " . intval($bugsys->in['priority']) . ", status = " . intval($bugsys->in['status']) . ", resolution = " . intval($bugsys->in['resolution']) . "," : '') . " - " . (can_perform('canassign') ? "assignedto = " . intval($bugsys->in['assignedto']) . "," : '') . " + " . (can_perform('canassign', null, $bug['productid']) ? "assignedto = " . intval($bugsys->in['assignedto']) . "," : '') . " duplicateof = " . intval($bugsys->in['duplicateof']) . ", dependency = '$dependencies', productid = " . $pcv['product'] . ", diff --git a/favourite.php b/favourite.php index 3fc008e..256e43c 100644 --- a/favourite.php +++ b/favourite.php @@ -32,8 +32,8 @@ if (empty($_REQUEST['do'])) if ($_REQUEST['do'] == 'handle') { - $bug = $db->query_first("SELECT * FROM " . TABLE_PREFIX . "bug WHERE bugid = " . intval($bugsys->in['bugid']) . ((!can_perform('canviewhidden')) ? " AND !bug.hidden" : '')); - if (!$bug) + $bug = $db->query_first("SELECT * FROM " . TABLE_PREFIX . "bug WHERE bugid = " . intval($bugsys->in['bugid'])); + if (!$bug OR (!can_perform('canviewhidden', null, $bug['productid']) AND $bug['hidden'])) { $message->error($lang->getlex('error_invalid_id')); } diff --git a/index.php b/index.php index c53e49c..5795d59 100644 --- a/index.php +++ b/index.php @@ -59,7 +59,7 @@ while ($bug = $db->fetch_array($bugs_fetch)) $bug['status'] = $bugsys->datastore['status']["$bug[status]"]['status']; $bug['resolution'] = $bugsys->datastore['resolution']["$bug[resolution]"]['resolution']; - $bug['hiddendisplay'] = ((!can_perform('canviewhidden') AND $bug['hiddenlastposttime']) ? true : false); + $bug['hiddendisplay'] = ((!can_perform('canviewhidden', null, $bug['productid']) AND $bug['hiddenlastposttime']) ? true : false); $bug['lastposttime'] = (($bug['hiddendisplay']) ? $bug['hiddenlastposttime'] : $bug['lastposttime']); $bug['lastpost'] = (($bug['hiddendisplay']) ? $bug['hiddenlastpost'] : $bug['lastpost']); diff --git a/newcomment.php b/newcomment.php index 5d10918..39ecd7b 100644 --- a/newcomment.php +++ b/newcomment.php @@ -14,7 +14,13 @@ define('SVN', '$Id$'); require_once('./global.php'); -if (!can_perform('canpostcomments')) +$bug = $db->query_first("SELECT * FROM " . TABLE_PREFIX . "bug WHERE bugid = " . intval($bugsys->in['bugid'])); +if (!$bug) +{ + $message->error($lang->getlex('error_invalid_id')); +} + +if (!can_perform('canpostcomments', null, $bug['productid']))) { $message->error_permission(); } diff --git a/newreport.php b/newreport.php index b344b1e..d305aa0 100755 --- a/newreport.php +++ b/newreport.php @@ -21,7 +21,7 @@ $focus['newreport'] = 'focus'; require_once('./global.php'); require_once('./includes/functions_product.php'); -if (!can_perform('cansubmitbugs')) +if (!can_perform('cansubmitbugs', null, intval($bugsys->in['productid']))) { $message->error_permission(); } @@ -39,7 +39,7 @@ if ($_POST['do'] == 'insert') { // ------------------------------------------------------------------- // check permissions on various input values - if (!can_perform('canchangestatus')) + if (!can_perform('canchangestatus', null, intval($bugsys->in['productid']))) { $bugsys->in['priority'] = $bugsys->options['defaultpriority']; $bugsys->in['status'] = $bugsys->options['defaultstatus']; @@ -60,7 +60,7 @@ if ($_POST['do'] == 'insert') $bugsys->in['resolution'] = $bugsys->options['defaultresolve']; } } - if (!can_perform('canassign')) + if (!can_perform('canassign', null, intval($bugsys->in['productid']))) { $bugsys->in['assignedto'] = $bugsys->options['defaultassign']; } diff --git a/showhistory.php b/showhistory.php index 495249b..7066d66 100644 --- a/showhistory.php +++ b/showhistory.php @@ -28,7 +28,7 @@ if (!$bug) $message->error($lang->getlex('error_invalid_id')); } -if ($bug['hidden'] AND !can_perform('canviewhidden')) +if ($bug['hidden'] AND !can_perform('canviewhidden', null, $bug['productid'])) { $message->error_permission(); } diff --git a/showreport.php b/showreport.php index 5629b8f..9439125 100644 --- a/showreport.php +++ b/showreport.php @@ -74,7 +74,7 @@ if (!is_array($bug)) $message->error($lang->getlex('error_invalid_id')); } -if ($bug['hidden'] AND !can_perform('canviewhidden')) +if ($bug['hidden'] AND !can_perform('canviewhidden', null, $bug['productid'])) { $message->error_permission(); } @@ -97,16 +97,16 @@ if ($show['edit']) { $select['severity'] = construct_datastore_select('severity', 'severity', 'severityid', $bug['severity']); - $show['changestatus'] = ((can_perform('canchangestatus')) ? true : false); - if (can_perform('canchangestatus')) + $show['changestatus'] = ((can_perform('canchangestatus', null, $bug['productid'])) ? true : false); + if (can_perform('canchangestatus', null, $bug['productid'])) { $select['priority'] = construct_datastore_select('priority', 'priority', 'priorityid', $bug['priority']); $select['status'] = construct_datastore_select('status', 'status', 'statusid', $bug['status']); $select['resolution'] = construct_datastore_select('resolution', 'resolution', 'resolutionid', $bug['resolution']); } - $show['assign'] = ((can_perform('canassign')) ? true : false); - if (can_perform('canassign')) + $show['assign'] = ((can_perform('canassign', null, $bug['productid'])) ? true : false); + if (can_perform('canassign', null, $bug['productid'])) { foreach ($bugsys->datastore['assignto'] AS $dev) { @@ -230,8 +230,8 @@ foreach ($words AS $word) // ------------------------------------------------------------------- // attachments -$show['getattachments'] = ((can_perform('cangetattach') OR can_perform('caneditattach')) ? true : false); -$show['putattachments'] = ((can_perform('canputattach') OR can_perform('caneditattach')) ? true : false); +$show['getattachments'] = ((can_perform('cangetattach', null, $bug['productid']) OR can_perform('caneditattach', null, $bug['productid'])) ? true : false); +$show['putattachments'] = ((can_perform('canputattach', null, $bug['productid']) OR can_perform('caneditattach', null, $bug['productid'])) ? true : false); $show['attachments'] = ($show['getattachments'] OR $show['putattachments']) ? true : false; if ($show['getattachments'] OR $show['putattachments']) @@ -250,7 +250,7 @@ if ($show['getattachments'] OR $show['putattachments']) while ($attachment = $db->fetch_array($attachments_fetch)) { $attaches = true; - $show['editattach'] = ((can_perform('caneditattach') OR ($attachment['userid'] == $bugsys->userinfo['userid'] AND can_perform('canputattach'))) ? true : false); + $show['editattach'] = ((can_perform('caneditattach', null, $bug['productid']) OR ($attachment['userid'] == $bugsys->userinfo['userid'] AND can_perform('canputattach', null, $bug['productid']))) ? true : false); $attachment['date'] = $datef->format($bugsys->options['dateformat'], $attachment['dateline']); $attachment['user'] = construct_user_display($attachment, false); eval('$attachments .= "' . $template->fetch('showreport_attachment') . '";'); @@ -268,7 +268,7 @@ $vote['total'] = $vote['votefor'] + $vote['voteagainst']; $vote['forpercent'] = round($vote['votefor'] / $vote['total'], 3) * 100; $vote['againstpercent'] = round($vote['voteagainst'] / $vote['total'], 3) * 100; -$show['vote'] = ((can_perform('canvote') AND !$vote['uservote']) ? true : false); +$show['vote'] = ((can_perform('canvote', null, $bug['productid']) AND !$vote['uservote']) ? true : false); // ------------------------------------------------------------------- // get comments @@ -277,7 +277,7 @@ $comments_fetch = $db->query(" FROM " . TABLE_PREFIX . "comment AS comment LEFT JOIN " . TABLE_PREFIX . "user AS user ON (comment.userid = user.userid) - WHERE comment.bugid = $bug[bugid]" . ((!can_perform('canviewhidden')) ? " + WHERE comment.bugid = $bug[bugid]" . ((!can_perform('canviewhidden', null, $bug['productid'])) ? " AND !hidden" : '') . " ORDER BY comment.dateline ASC" ); @@ -285,7 +285,7 @@ while ($comment = $db->fetch_array($comments_fetch)) { $comment['posttime'] = $datef->format($bugsys->options['dateformat'], $comment['dateline']); $comment['postby'] = construct_user_display($comment); - $show['editcomment'] = (((can_perform('caneditown') AND $bugsys->userinfo['userid'] == $comment['userid']) OR can_perform('caneditothers')) ? true : false); + $show['editcomment'] = (((can_perform('caneditown', null, $bug['productid']) AND $bugsys->userinfo['userid'] == $comment['userid']) OR can_perform('caneditothers', null, $bug['productid'])) ? true : false); if (is_array($hilight)) { @@ -300,7 +300,7 @@ while ($comment = $db->fetch_array($comments_fetch)) eval('$comments .= "' . $template->fetch('showreport_comment') . '";'); } -$show['newreply'] = ((can_perform('canpostcomments')) ? true : false); +$show['newreply'] = ((can_perform('canpostcomments', null, $bug['productid'])) ? true : false); if (is_array($hilight)) { diff --git a/viewattachment.php b/viewattachment.php index f4e9b57..c6bdc5a 100755 --- a/viewattachment.php +++ b/viewattachment.php @@ -24,6 +24,8 @@ if (!$attachment) $message->error($lang->getlex('error_invalid_id')); } +// #*# permission checks per-bug and hidden bugs + if (!can_perform('cangetattach') AND !can_perform('caneditattach')) { $message->error_permission(); diff --git a/vote.php b/vote.php index 204e3e6..9ce89dd 100644 --- a/vote.php +++ b/vote.php @@ -16,11 +16,6 @@ $focus['showreport'] = 'focus'; require_once('./global.php'); -if (!can_perform('canvote')) -{ - $message->error_permission(); -} - // ################################################################### if (empty($_REQUEST['do'])) @@ -35,6 +30,11 @@ if ($_REQUEST['do'] == 'vote') $bug = $db->query_first("SELECT * FROM " . TABLE_PREFIX . "bug WHERE bugid = " . intval($bugsys->in['bugid']) . ((!can_perform('canviewhidden')) ? " AND !bug.hidden" : '')); $vote = $db->query_first("SELECT *, FIND_IN_SET(" . $bugsys->userinfo['userid'] . ", userids) AS uservote FROM " . TABLE_PREFIX . "vote WHERE bugid = $bug[bugid]"); + if (!can_perform('canvote', null, $bug['productid'])) + { + $message->error_permission(); + } + if (!$bug) { $message->error($lang->getlex('error_invalid_id')); -- 2.22.5