From a8d8d020e65db1b04fb0d473654a65dd62bbba50 Mon Sep 17 00:00:00 2001 From: Robert Sesek Date: Sun, 20 Aug 2006 23:47:25 +0000 Subject: [PATCH] r1105: Major update of permission checking --- attachment.php | 5 +++++ editcomment.php | 4 ++-- editreport.php | 2 +- favorite.php | 11 ++++++++--- showhistory.php | 2 +- viewattachment.php | 2 +- vote.php | 7 ++++++- 7 files changed, 24 insertions(+), 9 deletions(-) diff --git a/attachment.php b/attachment.php index f5d0858..e866184 100755 --- a/attachment.php +++ b/attachment.php @@ -51,6 +51,11 @@ if (!$bug) $message->error($lang->getlex('error_invalid_id')); } +if (!check_bug_permission($bug)) +{ + $message->error_permission(); +} + require_once('./includes/class_logging.php'); $notif = new NotificationCenter; diff --git a/editcomment.php b/editcomment.php index 4c44ab8..ce5934d 100644 --- a/editcomment.php +++ b/editcomment.php @@ -42,9 +42,9 @@ $comment =& $commentapi->objdata; $bug = $db->query_first("SELECT * FROM " . TABLE_PREFIX . "bug WHERE bugid = $comment[bugid]"); -if (!(($bug['hidden'] AND can_perform('canviewhidden', $bug['product'])) OR ($bug['hidden'] AND $bugsys->userinfo['userid'] == $bug['userid'] AND can_perform('canviewownhidden', $bug['productid']))) AND can_perform('canviewbugs', $bug['product'])) +if (!check_bug_permission($bug)) { - $message->error_permissison(); + $message->error_permission(); } // ################################################################### diff --git a/editreport.php b/editreport.php index 7a7625d..7aac0d8 100644 --- a/editreport.php +++ b/editreport.php @@ -47,7 +47,7 @@ if (!$bug) $message->error($lang->getlex('error_invalid_id')); } -if (!(($bug['hidden'] AND can_perform('canviewhidden', $bug['product'])) OR ($bug['hidden'] AND $bugsys->userinfo['userid'] == $bug['userid'] AND can_perform('canviewownhidden', $bug['productid']))) AND can_perform('canviewbugs', $bug['product'])) +if (!check_bug_permission($bug)) { $message->error_permission(); } diff --git a/favorite.php b/favorite.php index 11c3778..3cf06de 100644 --- a/favorite.php +++ b/favorite.php @@ -41,12 +41,12 @@ if ($_REQUEST['do'] == 'handle') { $bugsys->input_clean('bugid', TYPE_UINT); $bug = $db->query_first("SELECT * FROM " . TABLE_PREFIX . "bug WHERE bugid = " . $bugsys->in['bugid']); - if (!$bug OR (!can_perform('canviewhidden', $bug['product']) AND $bug['hidden'])) + if (!check_bug_permission($bug)) { - $message->error($lang->getlex('error_invalid_id')); + $message->error_permission(); } - if (!can_perform('cansubscribe', $bug['product']) OR !can_perform('canviewbugs', $bug['product'])) + if (!can_perform('cansubscribe', $bug['product'])) { $message->error_permission(); } @@ -67,6 +67,11 @@ if ($_REQUEST['do'] == 'handle') if ($_REQUEST['do'] == 'manage') { + if (!can_perform('canviewbugs')) + { + $message->error_permission(); + } + $favorites = $db->query(" SELECT favorite.bugid, bug.* FROM " . TABLE_PREFIX . "favorite AS favorite RIGHT JOIN " . TABLE_PREFIX . "bug AS bug diff --git a/showhistory.php b/showhistory.php index 1827f42..0e9a9cf 100644 --- a/showhistory.php +++ b/showhistory.php @@ -37,7 +37,7 @@ if (!$bug) $message->error($lang->getlex('error_invalid_id')); } -if (!(($bug['hidden'] AND can_perform('canviewhidden', $bug['product'])) OR ($bug['hidden'] AND $bugsys->userinfo['userid'] == $bug['userid'] AND can_perform('canviewownhidden', $bug['productid']))) AND can_perform('canviewbugs', $bug['product'])) +if (!check_bug_permission($bug)) { $message->error_permission(); } diff --git a/viewattachment.php b/viewattachment.php index ff99034..e9e9537 100755 --- a/viewattachment.php +++ b/viewattachment.php @@ -34,7 +34,7 @@ if (!$attachment) } $bug = $db->query_first("SELECT * FROM " . TABLE_PREFIX . "bug WHERE bugid = $attachment[bugid]"); -if (($bug['hidden'] AND !can_perform('canviewhidden', $bug['product'])) OR !can_perform('canviewbugs', $bug['product'])) +if (!check_bug_permission($bug)) { $message->error_permission(); } diff --git a/vote.php b/vote.php index a776b02..901b167 100644 --- a/vote.php +++ b/vote.php @@ -36,9 +36,14 @@ if (empty($_REQUEST['do'])) if ($_REQUEST['do'] == 'vote') { - $bug = $db->query_first("SELECT * FROM " . TABLE_PREFIX . "bug WHERE bugid = " . $bugsys->input_clean('bugid', TYPE_UINT) . ((!can_perform('canviewhidden')) ? " AND !hidden" : '')); + $bug = $db->query_first("SELECT * FROM " . TABLE_PREFIX . "bug WHERE bugid = " . $bugsys->input_clean('bugid', TYPE_UINT)); $vote = $db->query_first("SELECT *, FIND_IN_SET(" . $bugsys->userinfo['userid'] . ", userids) AS uservote FROM " . TABLE_PREFIX . "vote WHERE bugid = $bug[bugid]"); + if (!check_bug_permission($bug)) + { + $message->error_permission(); + } + if (!can_perform('canvote', $bug['product'])) { $message->error_permission(); -- 2.43.5