From 411bebb1e34bfc55cf602b1e9b7c766b5a3e60ce Mon Sep 17 00:00:00 2001
From: Robert Sesek <rsesek@bluestatic.org>
Date: Mon, 10 Oct 2005 22:33:37 +0000
Subject: [PATCH] r535: Adding permission checks

---
 viewattachment.php | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/viewattachment.php b/viewattachment.php
index c6bdc5a..44b30aa 100755
--- a/viewattachment.php
+++ b/viewattachment.php
@@ -24,9 +24,13 @@ if (!$attachment)
 	$message->error($lang->getlex('error_invalid_id'));
 }
 
-// #*# permission checks per-bug and hidden bugs
+$bug = $db->query_first("SELECT * FROM " . TABLE_PREFIX . "bug WHERE bugid = $attachment[bugid]");
+if (($bug['hidden'] AND !can_perform('canviewhidden', $bug['productid'])) OR !can_perform('canviewbugs', $bug['productid']))
+{
+	$message->error_permission();
+}
 
-if (!can_perform('cangetattach') AND !can_perform('caneditattach'))
+if (!can_perform('cangetattach', $bug['productid']) AND !can_perform('caneditattach', $bug['productid']))
 {
 	$message->error_permission();
 }
-- 
2.22.5