Refactor handler access check for soap api

Move the check to a shared method used by mc_issue_add() and mc_issue_update(). Issue #16993
mantisbt · Oct 22, 2014 · a58d63a · a58d63a
1 parent d7e16cc
commit a58d63a
Showing 1 changed file with 33 additions and 35 deletions.
diff --git a/api/soap/mc_issue_api.php b/api/soap/mc_issue_api.php
@@ -588,6 +588,36 @@ function mc_issue_get_id_from_summary( $p_username, $p_password, $p_summary ) {
 	}
 }
 
+/**
+ * Does the actual checks when setting the issue handler.
+ * The user existence check is always done even if handler doesn't change.
+ * The handler's access level check is done even if handler doesn't change.
+ * The current user ability to assign issue access check is only done on change.
+ * This behavior would be consistent with the web UI.
+ *
+ * @param $p_user_id        The id of the logged in user.
+ * @param $p_project_id     The id of the project the issue is associated with.
+ * @param $p_old_handler_id The old handler id.
+ * @param $p_new_handler_id The new handler id.  0 for not assigned.
+ */
+function mci_issue_handler_access_check( $p_user_id, $p_project_id, $p_old_handler_id, $p_new_handler_id ) {
+	if( $p_new_handler_id != 0 ) {
+		if ( !user_exists( $p_new_handler_id ) ) {
+			return SoapObjectsFactory::newSoapFault( 'Client', 'User \'' . $p_new_handler_id . '\' does not exist.' );
+		}
+
+		if( !access_has_project_level( config_get( 'handle_bug_threshold' ), $p_project_id, $p_new_handler_id ) ) {
+			return mci_soap_fault_access_denied( 'User \'' . $p_new_handler_id . '\' does not have access right to handle issues' );
+		}
+	}
+
+	if( $p_old_handler_id != $p_new_handler_id ) {
+		if( !access_has_project_level( config_get( 'update_bug_assign_threshold' ), $p_project_id, $p_user_id ) ) {
+			return mci_soap_fault_access_denied( 'User \'' . $p_user_id . '\' does not have access right to assign issues' );
+		}
+	}
+}
+
 /**
  * Add an issue to the database.
  *
@@ -654,24 +684,7 @@ function mc_issue_add( $p_username, $p_password, stdClass $p_issue ) {
 		return mci_soap_fault_access_denied( 'User \'' . $t_user_id . '\' does not have access right to report issues' );
 	}
 
-	#if( !access_has_project_level( config_get( 'report_bug_threshold' ), $t_project_id ) ||
-	#	!access_has_project_level( config_get( 'report_bug_threshold' ), $t_project_id, $v_reporter ) ) {
-	#	return SoapObjectsFactory::newSoapFault( 'Client', '', "User does not have access right to report issues." );
-	#}
-
-	if( $t_handler_id != 0 ) {
-		if( !access_has_project_level( config_get( 'update_bug_assign_threshold' ), $t_project_id, $t_user_id ) ) {
-			return mci_soap_fault_access_denied( 'User \'' . $t_user_id . '\' does not have access right to assign issues' );
-		}
-
-		if ( !user_exists( $t_handler_id ) ) {
-			return SoapObjectsFactory::newSoapFault( 'Client', 'User \'' . $t_handler_id . '\' does not exist.' );
-		}
-
-		if( !access_has_project_level( config_get( 'handle_bug_threshold' ), $t_project_id, $t_handler_id ) ) {
-			return mci_soap_fault_access_denied( 'User \'' . $t_handler_id . '\' does not have access right to handle issues' );
-		}
-	}
+	mci_issue_handler_access_check( $t_user_id, $t_project_id, /* old */ 0, /* new */ $t_handler_id );
 
 	$t_category = isset( $p_issue['category'] ) ? $p_issue['category'] : null;
 
@@ -900,23 +913,8 @@ function mc_issue_update( $p_username, $p_password, $p_issue_id, stdClass $p_iss
 	$t_bug_data->project_id = $t_project_id;
 	$t_bug_data->reporter_id = $t_reporter_id;
 
-	if ( $t_handler_id != $t_bug_data->handler_id ) {
-		if( !access_has_project_level( config_get( 'update_bug_assign_threshold' ), $t_project_id, $t_user_id ) ) {
-			return mci_soap_fault_access_denied( 'User \'' . $t_user_id . '\' does not have access right to assign issues' );
-		}
-
-		if( $t_handler_id != 0 ) {
-			if( !user_exists( $t_handler_id ) ) {
-				return SoapObjectsFactory::newSoapFault( 'Client', 'User \'' . $t_handler_id . '\' does not exist.' );
-			}
-
-			if( !access_has_project_level( config_get( 'handle_bug_threshold' ), $t_project_id, $t_handler_id ) ) {
-				return mci_soap_fault_access_denied( 'User \'' . $t_handler_id . '\' does not have access right to handle issues' );
-			}
-		}
-
-		$t_bug_data->handler_id = $t_handler_id;
-	}
+	mci_issue_handler_access_check( $t_user_id, $t_project_id, /* old */ $t_bug_data->handler_id, /* new */ $t_handler_id );
+	$t_bug_data->handler_id = $t_handler_id;
 
 	$t_bug_data->category_id = $t_category_id;
 	$t_bug_data->summary = $t_summary;