Skip to content

Commit

Permalink
Check proper issue access for changelog, roadmap
Browse files Browse the repository at this point in the history 
Use the actual access api checks for ensuring the user has view access
to each issue.

Fixes: #25115
  • Loading branch information
@cproensa
cproensa committed Feb 4, 2020
1 parent e8cd836 commit acffd53
Show file tree
Hide file tree
Showing 2 changed files with 6 additions and 24 deletions.
15 changes: 3 additions & 12 deletions changelog_page.php
View file
Expand Up @@ -240,8 +240,6 @@ function print_project_header_changelog( $p_project_name ) {

foreach( $t_project_ids as $t_project_id ) {
$t_project_name = project_get_field( $t_project_id, 'name' );
$t_can_view_private = access_has_project_level( config_get( 'private_bug_threshold' ), $t_project_id );

$t_resolved = config_get( 'bug_resolved_status_threshold' );

# grab versions info for later use, excluding obsolete ones
Expand All @@ -252,7 +250,7 @@ function print_project_header_changelog( $p_project_name ) {

$t_project_header_printed = false;

$t_access_limit_reporters_applies = access_has_limited_view_for_reporter( $t_project_id );
$t_view_bug_threshold = config_get( 'view_bug_threshold', null, null, $t_project_id );

foreach( $t_version_rows as $t_version_row ) {
$t_version_header_printed = false;
Expand Down Expand Up @@ -284,17 +282,10 @@ function print_project_header_changelog( $p_project_name ) {
$t_result = db_query( $t_query, array( $t_project_id, $t_version ) );

while( $t_row = db_fetch_array( $t_result ) ) {
# hide private bugs if user doesn't have access to view them.
if( !$t_can_view_private && ( $t_row['view_state'] == VS_PRIVATE ) ) {
continue;
}

bug_cache_database_result( $t_row );

# check limit_Reporter (Issue #4770)
# reporters can view just issues they reported
if( $t_access_limit_reporters_applies
&& !bug_is_user_reporter( $t_row['id'], $t_user_id ) ) {
# verify the user can view this issue
if( !access_has_bug_level( $t_view_bug_threshold, $t_row['id'] ) ) {
continue;
}

Expand Down
15 changes: 3 additions & 12 deletions roadmap_page.php
View file
Expand Up @@ -245,8 +245,6 @@ function print_project_header_roadmap( $p_project_name ) {

foreach( $t_project_ids as $t_project_id ) {
$t_project_name = project_get_field( $t_project_id, 'name' );
$t_can_view_private = access_has_project_level( config_get( 'private_bug_threshold' ), $t_project_id );

$t_resolved = config_get( 'bug_resolved_status_threshold' );

$t_version_rows = array_reverse( version_get_all_rows( $t_project_id ) );
Expand All @@ -256,7 +254,7 @@ function print_project_header_roadmap( $p_project_name ) {

$t_project_header_printed = false;

$t_access_limit_reporters_applies = access_has_limited_view_for_reporter( $t_project_id );
$t_view_bug_threshold = config_get( 'view_bug_threshold', null, null, $t_project_id );

foreach( $t_version_rows as $t_version_row ) {
if( $t_version_row['released'] == 1 ) {
Expand Down Expand Up @@ -292,17 +290,10 @@ function print_project_header_roadmap( $p_project_name ) {
$t_issue_handlers = array();

while( $t_row = db_fetch_array( $t_result ) ) {
# hide private bugs if user doesn't have access to view them.
if( !$t_can_view_private && ( $t_row['view_state'] == VS_PRIVATE ) ) {
continue;
}

bug_cache_database_result( $t_row );

# check limit_Reporter (Issue #4770)
# reporters can view just issues they reported
if( $t_access_limit_reporters_applies
&& !bug_is_user_reporter( $t_row['id'], $t_user_id ) ) {
# verify the user can view this issue
if( !access_has_bug_level( $t_view_bug_threshold, $t_row['id'] ) ) {
continue;
}

Expand Down

0 comments on commit acffd53

Please sign in to comment.