From 7321bc030445cc169fca51fdba24d8492c8603a5 Mon Sep 17 00:00:00 2001
From: Robert Sesek <rsesek@bluestatic.org>
Date: Sun, 20 Aug 2006 23:42:44 +0000
Subject: [PATCH] r1104: Finally have a decent, working permissions check for
 bugs. However, it is a huge if() condition, so stick it in its own function.

---
 includes/functions.php | 46 ++++++++++++++++++++++++++++++++++++++++++
 showreport.php         |  2 +-
 2 files changed, 47 insertions(+), 1 deletion(-)

diff --git a/includes/functions.php b/includes/functions.php
index 437fd64..09c8bc2 100755
--- a/includes/functions.php
+++ b/includes/functions.php
@@ -508,6 +508,52 @@ function fetch_guest_user()
 	);
 }
 
+// ###################################################################
+/**
+* Does an exhaustive permissions check on the bug. It checks for hidden
+* bug status and ability to view hidden bugs. This normally was done
+* at the top of each page, but it got so big, it was moved to a function.
+*
+* @access	public
+*
+* @param	array	Bug array
+* @param	array	Alternate user array
+*
+* @return	bool	Does the user have permission
+*/
+function check_bug_permissions($bug, $userinfo = null)
+{
+	global $bugsys;
+	if ($userinfo == null)
+	{
+		$userinfo = $bugsys->userinfo;
+	}
+	
+	if
+	(
+		!can_perform('canviewbugs', $bug['product'], $userinfo)
+			OR
+		!(
+			(
+				$bug['hidden']
+					AND
+				(
+					($userinfo['userid'] == $bug['userid'] AND can_perform('canviewownhidden', $bug['productid'], $userinfo))
+						OR
+					can_perform('canviewhidden', $bug['productid'], $userinfo)
+				)
+			)
+				OR
+			!$bug['hidden']
+		)
+	)
+	{
+		return false;
+	}
+	
+	return true;
+}
+
 /*=====================================================================*\
 || ###################################################################
 || # $HeadURL$
diff --git a/showreport.php b/showreport.php
index 0e0afeb..bf1c699 100644
--- a/showreport.php
+++ b/showreport.php
@@ -84,7 +84,7 @@ if (!is_array($bug))
 	$message->error($lang->getlex('error_invalid_id'));
 }
 
-if (!(($bug['hidden'] AND can_perform('canviewhidden', $bug['product'])) OR ($bug['hidden'] AND $bugsys->userinfo['userid'] == $bug['userid'] AND can_perform('canviewownhidden', $bug['productid']))) AND can_perform('canviewbugs', $bug['product']))
+if (!check_bug_permissions($bug))
 {
 	$message->error_permission();
 }
-- 
2.22.5