From a8d8d020e65db1b04fb0d473654a65dd62bbba50 Mon Sep 17 00:00:00 2001
From: Robert Sesek <rsesek@bluestatic.org>
Date: Sun, 20 Aug 2006 23:47:25 +0000
Subject: [PATCH] r1105: Major update of permission checking

---
 attachment.php     |  5 +++++
 editcomment.php    |  4 ++--
 editreport.php     |  2 +-
 favorite.php       | 11 ++++++++---
 showhistory.php    |  2 +-
 viewattachment.php |  2 +-
 vote.php           |  7 ++++++-
 7 files changed, 24 insertions(+), 9 deletions(-)

diff --git a/attachment.php b/attachment.php
index f5d0858..e866184 100755
--- a/attachment.php
+++ b/attachment.php
@@ -51,6 +51,11 @@ if (!$bug)
 	$message->error($lang->getlex('error_invalid_id'));
 }
 
+if (!check_bug_permission($bug))
+{
+	$message->error_permission();
+}
+
 require_once('./includes/class_logging.php');
 
 $notif = new NotificationCenter;
diff --git a/editcomment.php b/editcomment.php
index 4c44ab8..ce5934d 100644
--- a/editcomment.php
+++ b/editcomment.php
@@ -42,9 +42,9 @@ $comment =& $commentapi->objdata;
 
 $bug = $db->query_first("SELECT * FROM " . TABLE_PREFIX . "bug WHERE bugid = $comment[bugid]");
 
-if (!(($bug['hidden'] AND can_perform('canviewhidden', $bug['product'])) OR ($bug['hidden'] AND $bugsys->userinfo['userid'] == $bug['userid'] AND can_perform('canviewownhidden', $bug['productid']))) AND can_perform('canviewbugs', $bug['product']))
+if (!check_bug_permission($bug))
 {
-	$message->error_permissison();
+	$message->error_permission();
 }
 
 // ###################################################################
diff --git a/editreport.php b/editreport.php
index 7a7625d..7aac0d8 100644
--- a/editreport.php
+++ b/editreport.php
@@ -47,7 +47,7 @@ if (!$bug)
 	$message->error($lang->getlex('error_invalid_id'));
 }
 
-if (!(($bug['hidden'] AND can_perform('canviewhidden', $bug['product'])) OR ($bug['hidden'] AND $bugsys->userinfo['userid'] == $bug['userid'] AND can_perform('canviewownhidden', $bug['productid']))) AND can_perform('canviewbugs', $bug['product']))
+if (!check_bug_permission($bug))
 {
 	$message->error_permission();
 }
diff --git a/favorite.php b/favorite.php
index 11c3778..3cf06de 100644
--- a/favorite.php
+++ b/favorite.php
@@ -41,12 +41,12 @@ if ($_REQUEST['do'] == 'handle')
 {
 	$bugsys->input_clean('bugid', TYPE_UINT);
 	$bug = $db->query_first("SELECT * FROM " . TABLE_PREFIX . "bug WHERE bugid = " . $bugsys->in['bugid']);
-	if (!$bug OR (!can_perform('canviewhidden', $bug['product']) AND $bug['hidden']))
+	if (!check_bug_permission($bug))
 	{
-		$message->error($lang->getlex('error_invalid_id'));
+		$message->error_permission();
 	}
 	
-	if (!can_perform('cansubscribe', $bug['product']) OR !can_perform('canviewbugs', $bug['product']))
+	if (!can_perform('cansubscribe', $bug['product']))
 	{
 		$message->error_permission();
 	}
@@ -67,6 +67,11 @@ if ($_REQUEST['do'] == 'handle')
 
 if ($_REQUEST['do'] == 'manage')
 {
+	if (!can_perform('canviewbugs'))
+	{
+		$message->error_permission();
+	}
+	
 	$favorites = $db->query("
 		SELECT favorite.bugid, bug.* FROM " . TABLE_PREFIX . "favorite AS favorite
 		RIGHT JOIN " . TABLE_PREFIX . "bug AS bug
diff --git a/showhistory.php b/showhistory.php
index 1827f42..0e9a9cf 100644
--- a/showhistory.php
+++ b/showhistory.php
@@ -37,7 +37,7 @@ if (!$bug)
 	$message->error($lang->getlex('error_invalid_id'));
 }
 
-if (!(($bug['hidden'] AND can_perform('canviewhidden', $bug['product'])) OR ($bug['hidden'] AND $bugsys->userinfo['userid'] == $bug['userid'] AND can_perform('canviewownhidden', $bug['productid']))) AND can_perform('canviewbugs', $bug['product']))
+if (!check_bug_permission($bug))
 {
 	$message->error_permission();
 }
diff --git a/viewattachment.php b/viewattachment.php
index ff99034..e9e9537 100755
--- a/viewattachment.php
+++ b/viewattachment.php
@@ -34,7 +34,7 @@ if (!$attachment)
 }
 
 $bug = $db->query_first("SELECT * FROM " . TABLE_PREFIX . "bug WHERE bugid = $attachment[bugid]");
-if (($bug['hidden'] AND !can_perform('canviewhidden', $bug['product'])) OR !can_perform('canviewbugs', $bug['product']))
+if (!check_bug_permission($bug))
 {
 	$message->error_permission();
 }
diff --git a/vote.php b/vote.php
index a776b02..901b167 100644
--- a/vote.php
+++ b/vote.php
@@ -36,9 +36,14 @@ if (empty($_REQUEST['do']))
 
 if ($_REQUEST['do'] == 'vote')
 {
-	$bug = $db->query_first("SELECT * FROM " . TABLE_PREFIX . "bug WHERE bugid = " . $bugsys->input_clean('bugid', TYPE_UINT) . ((!can_perform('canviewhidden')) ? " AND !hidden" : ''));
+	$bug = $db->query_first("SELECT * FROM " . TABLE_PREFIX . "bug WHERE bugid = " . $bugsys->input_clean('bugid', TYPE_UINT));
 	$vote =  $db->query_first("SELECT *, FIND_IN_SET(" . $bugsys->userinfo['userid'] . ", userids) AS uservote FROM " . TABLE_PREFIX . "vote WHERE bugid = $bug[bugid]");
 	
+	if (!check_bug_permission($bug))
+	{
+		$message->error_permission();
+	}
+	
 	if (!can_perform('canvote', $bug['product']))
 	{
 		$message->error_permission();
-- 
2.22.5