From 7321bc030445cc169fca51fdba24d8492c8603a5 Mon Sep 17 00:00:00 2001 From: Robert Sesek Date: Sun, 20 Aug 2006 23:42:44 +0000 Subject: [PATCH] r1104: Finally have a decent, working permissions check for bugs. However, it is a huge if() condition, so stick it in its own function. --- includes/functions.php | 46 ++++++++++++++++++++++++++++++++++++++++++ showreport.php | 2 +- 2 files changed, 47 insertions(+), 1 deletion(-) diff --git a/includes/functions.php b/includes/functions.php index 437fd64..09c8bc2 100755 --- a/includes/functions.php +++ b/includes/functions.php @@ -508,6 +508,52 @@ function fetch_guest_user() ); } +// ################################################################### +/** +* Does an exhaustive permissions check on the bug. It checks for hidden +* bug status and ability to view hidden bugs. This normally was done +* at the top of each page, but it got so big, it was moved to a function. +* +* @access public +* +* @param array Bug array +* @param array Alternate user array +* +* @return bool Does the user have permission +*/ +function check_bug_permissions($bug, $userinfo = null) +{ + global $bugsys; + if ($userinfo == null) + { + $userinfo = $bugsys->userinfo; + } + + if + ( + !can_perform('canviewbugs', $bug['product'], $userinfo) + OR + !( + ( + $bug['hidden'] + AND + ( + ($userinfo['userid'] == $bug['userid'] AND can_perform('canviewownhidden', $bug['productid'], $userinfo)) + OR + can_perform('canviewhidden', $bug['productid'], $userinfo) + ) + ) + OR + !$bug['hidden'] + ) + ) + { + return false; + } + + return true; +} + /*=====================================================================*\ || ################################################################### || # $HeadURL$ diff --git a/showreport.php b/showreport.php index 0e0afeb..bf1c699 100644 --- a/showreport.php +++ b/showreport.php @@ -84,7 +84,7 @@ if (!is_array($bug)) $message->error($lang->getlex('error_invalid_id')); } -if (!(($bug['hidden'] AND can_perform('canviewhidden', $bug['product'])) OR ($bug['hidden'] AND $bugsys->userinfo['userid'] == $bug['userid'] AND can_perform('canviewownhidden', $bug['productid']))) AND can_perform('canviewbugs', $bug['product'])) +if (!check_bug_permissions($bug)) { $message->error_permission(); } -- 2.43.5