From a58d63ac12b16450cf999022b13ab12352e8bb47 Mon Sep 17 00:00:00 2001 From: Victor Boctor Date: Wed, 22 Oct 2014 00:12:30 -0700 Subject: [PATCH] Refactor handler access check for soap api Move the check to a shared method used by mc_issue_add() and mc_issue_update(). Issue #16993 --- api/soap/mc_issue_api.php | 68 +++++++++++++++++++-------------------- 1 file changed, 33 insertions(+), 35 deletions(-) diff --git a/api/soap/mc_issue_api.php b/api/soap/mc_issue_api.php index 12cf97616c..6b1b06c153 100644 --- a/api/soap/mc_issue_api.php +++ b/api/soap/mc_issue_api.php @@ -588,6 +588,36 @@ function mc_issue_get_id_from_summary( $p_username, $p_password, $p_summary ) { } } +/** + * Does the actual checks when setting the issue handler. + * The user existence check is always done even if handler doesn't change. + * The handler's access level check is done even if handler doesn't change. + * The current user ability to assign issue access check is only done on change. + * This behavior would be consistent with the web UI. + * + * @param $p_user_id The id of the logged in user. + * @param $p_project_id The id of the project the issue is associated with. + * @param $p_old_handler_id The old handler id. + * @param $p_new_handler_id The new handler id. 0 for not assigned. + */ +function mci_issue_handler_access_check( $p_user_id, $p_project_id, $p_old_handler_id, $p_new_handler_id ) { + if( $p_new_handler_id != 0 ) { + if ( !user_exists( $p_new_handler_id ) ) { + return SoapObjectsFactory::newSoapFault( 'Client', 'User \'' . $p_new_handler_id . '\' does not exist.' ); + } + + if( !access_has_project_level( config_get( 'handle_bug_threshold' ), $p_project_id, $p_new_handler_id ) ) { + return mci_soap_fault_access_denied( 'User \'' . $p_new_handler_id . '\' does not have access right to handle issues' ); + } + } + + if( $p_old_handler_id != $p_new_handler_id ) { + if( !access_has_project_level( config_get( 'update_bug_assign_threshold' ), $p_project_id, $p_user_id ) ) { + return mci_soap_fault_access_denied( 'User \'' . $p_user_id . '\' does not have access right to assign issues' ); + } + } +} + /** * Add an issue to the database. * @@ -654,24 +684,7 @@ function mc_issue_add( $p_username, $p_password, stdClass $p_issue ) { return mci_soap_fault_access_denied( 'User \'' . $t_user_id . '\' does not have access right to report issues' ); } - #if( !access_has_project_level( config_get( 'report_bug_threshold' ), $t_project_id ) || - # !access_has_project_level( config_get( 'report_bug_threshold' ), $t_project_id, $v_reporter ) ) { - # return SoapObjectsFactory::newSoapFault( 'Client', '', "User does not have access right to report issues." ); - #} - - if( $t_handler_id != 0 ) { - if( !access_has_project_level( config_get( 'update_bug_assign_threshold' ), $t_project_id, $t_user_id ) ) { - return mci_soap_fault_access_denied( 'User \'' . $t_user_id . '\' does not have access right to assign issues' ); - } - - if ( !user_exists( $t_handler_id ) ) { - return SoapObjectsFactory::newSoapFault( 'Client', 'User \'' . $t_handler_id . '\' does not exist.' ); - } - - if( !access_has_project_level( config_get( 'handle_bug_threshold' ), $t_project_id, $t_handler_id ) ) { - return mci_soap_fault_access_denied( 'User \'' . $t_handler_id . '\' does not have access right to handle issues' ); - } - } + mci_issue_handler_access_check( $t_user_id, $t_project_id, /* old */ 0, /* new */ $t_handler_id ); $t_category = isset( $p_issue['category'] ) ? $p_issue['category'] : null; @@ -900,23 +913,8 @@ function mc_issue_update( $p_username, $p_password, $p_issue_id, stdClass $p_iss $t_bug_data->project_id = $t_project_id; $t_bug_data->reporter_id = $t_reporter_id; - if ( $t_handler_id != $t_bug_data->handler_id ) { - if( !access_has_project_level( config_get( 'update_bug_assign_threshold' ), $t_project_id, $t_user_id ) ) { - return mci_soap_fault_access_denied( 'User \'' . $t_user_id . '\' does not have access right to assign issues' ); - } - - if( $t_handler_id != 0 ) { - if( !user_exists( $t_handler_id ) ) { - return SoapObjectsFactory::newSoapFault( 'Client', 'User \'' . $t_handler_id . '\' does not exist.' ); - } - - if( !access_has_project_level( config_get( 'handle_bug_threshold' ), $t_project_id, $t_handler_id ) ) { - return mci_soap_fault_access_denied( 'User \'' . $t_handler_id . '\' does not have access right to handle issues' ); - } - } - - $t_bug_data->handler_id = $t_handler_id; - } + mci_issue_handler_access_check( $t_user_id, $t_project_id, /* old */ $t_bug_data->handler_id, /* new */ $t_handler_id ); + $t_bug_data->handler_id = $t_handler_id; $t_bug_data->category_id = $t_category_id; $t_bug_data->summary = $t_summary;