Fix #2993: Read/Write access levels not checked in custom fields

M bug_report_advanced_page.php
- Remove the spacer after the custom fields if no custom fields were printed.
- Make sure that the current user's access level >= required write access level.

M bug_report_page.php
- Remove the spacer after the custom fields if no custom fields were printed.
- Make sure that the current user's access level >= required write access level.

M bug_update_advanced_page.php
- Remove the spacer after the custom fields if no custom fields were printed.
- Make sure that the current user's access level >= required write access level.

M bug_update_page.php
- Remove the spacer after the custom fields if no custom fields were printed.
- Make sure that the current user's access level >= required write access level.

M bug_view_advanced_page.php
- Remove the spacer after the custom fields if no custom fields were printed.
- Make sure that the current user's access level >= required read access level.

M bug_view_page.php
- Remove the spacer after the custom fields if no custom fields were printed.
- Make sure that the current user's access level >= required read access level.

M core/custom_field_api.php
- (custom_field_has_read_access): Default $p_user to null for current user.
- (custom_field_has_write_access_to_project): Check write access based on project id rather than bug id.
  This is needed when adding a new bug.
- (custom_field_has_write_access): Changed to use custom_field_has_write_access_to_project().  Also defaulted
  $p_user_id to null for current user.
- (custom_field_set_value): Changed to check write access rather than read access level before setting the
  value of a custom field.


git-svn-id: http://mantisbt.svn.sourceforge.net/svnroot/mantisbt/trunk@2002 f5dc347c-c33d-0410-90a0-b07cc1902cb9

bug_report_advanced_page.php

@@ -6,7 +6,7 @@
 	# See the README and LICENSE files for details
 
 	# --------------------------------------------------------
-	# $Id: bug_report_advanced_page.php,v 1.24 2003-02-18 02:18:00 jfitzell Exp $
+	# $Id: bug_report_advanced_page.php,v 1.25 2003-02-23 14:18:00 vboctor Exp $
 	# --------------------------------------------------------
 ?>
 <?php
@@ -291,20 +291,22 @@
 </tr>
 
 
-<!-- Custom Fields -->
-<?php
-	$t_related_custom_field_ids = custom_field_get_linked_ids( helper_get_current_project() );
-
-	# insert a spacer as long as we actually have some custom fields
-	if ( count( $t_related_custom_field_ids ) > 0 ) {
-?>
 <tr>
 	<td class="spacer" colspan="2">&nbsp;</td>
 </tr>
+
+
+<!-- Custom Fields -->
 <?php
-	} # if ( size( $t_related_custom_field_ids ) > 0 )
+	$t_custom_fields_found = false;
+	$t_related_custom_field_ids = custom_field_get_linked_ids( helper_get_current_project() );
 
 	foreach( $t_related_custom_field_ids as $t_id ) {
+		if( !custom_field_has_write_access_to_project( $t_id, helper_get_current_project() ) ) {
+			continue;
+		}
+
+		$t_custom_fields_found = true;
 		$t_def = custom_field_get_definition( $t_id );
 ?>
 <tr <?php echo helper_alternate_class() ?>>
@@ -320,10 +322,12 @@
 ?>
 
 
+<?php if ( $t_custom_fields_found ) { ?>
 <!-- spacer -->
 <tr>
 	<td class="spacer" colspan="2">&nbsp;</td>
 </tr>
+<?php } # custom fields found ?>
 
 
 <!-- File Upload (if enabled) -->

bug_report_page.php

@@ -6,7 +6,7 @@
 	# See the README and LICENSE files for details
 
 	# --------------------------------------------------------
-	# $Id: bug_report_page.php,v 1.23 2003-02-18 02:18:00 jfitzell Exp $
+	# $Id: bug_report_page.php,v 1.24 2003-02-23 14:18:00 vboctor Exp $
 	# --------------------------------------------------------
 ?>
 <?php
@@ -161,22 +161,21 @@
 </tr>
 
 
-<!-- Custom Fields -->
-<?php
-	$t_related_custom_field_ids = custom_field_get_linked_ids( helper_get_current_project() );
-
-	# insert a spacer as long as we actually have some custom fields
-	if ( count( $t_related_custom_field_ids ) > 0 ) {
-?>
+<!-- spacer -->
 <tr>
 	<td class="spacer" colspan="2">&nbsp;</td>
 </tr>
+
+
+<!-- Custom Fields -->
 <?php
-	} # if ( size( $t_related_custom_field_ids ) > 0 )
+	$t_custom_fields_found = false;
+	$t_related_custom_field_ids = custom_field_get_linked_ids( helper_get_current_project() );
 
 	foreach( $t_related_custom_field_ids as $t_id ) {
 		$t_def = custom_field_get_definition( $t_id );
-		if( !$t_def['advanced'] ) {
+		if( !$t_def['advanced'] && custom_field_has_write_access_to_project( $t_id, helper_get_current_project() ) ) {
+			$t_custom_fields_found = true;
 ?>
 <tr <?php echo helper_alternate_class() ?>>
 	<td class="category">
@@ -187,15 +186,17 @@
 	</td>
 </tr>
 <?php
-		} # if (!$t_def['advanced'])
+		} # if (!$t_def['advanced']) && has write access
 	} # foreach( $t_related_custom_field_ids as $t_id )
 ?>
 
 
+<?php if ( $t_custom_fields_found ) { ?>
 <!-- spacer -->
 <tr>
 	<td class="spacer" colspan="2">&nbsp;</td>
 </tr>
+<?php } ?>
 
 
 <!-- File Upload (if enabled) -->

bug_update_advanced_page.php

@@ -6,7 +6,7 @@
 	# See the README and LICENSE files for details
 
 	# --------------------------------------------------------
-	# $Id: bug_update_advanced_page.php,v 1.55 2003-02-21 00:32:37 vboctor Exp $
+	# $Id: bug_update_advanced_page.php,v 1.56 2003-02-23 14:18:00 vboctor Exp $
 	# --------------------------------------------------------
 ?>
 <?php
@@ -350,13 +350,21 @@
 </tr>
 
 
-<!-- Custom Fields -->
 <tr>
 	<td class="spacer" colspan="6">&nbsp;</td>
 </tr>
+
+
+<!-- Custom Fields -->
 <?php
+	$t_custom_fields_found = false;
 	$t_related_custom_field_ids = custom_field_get_linked_ids( helper_get_current_project() );
 	foreach( $t_related_custom_field_ids as $t_id ) {
+		if( !custom_field_has_write_access( $t_id, $f_bug_id ) ) {
+			continue;
+		}
+
+		$t_custom_fields_found = true;
 		$t_def = custom_field_get_definition( $t_id );
 ?>
 <tr <?php echo helper_alternate_class() ?>>
@@ -374,10 +382,12 @@
 ?>
 
 
+<?php if ( $t_custom_fields_found ) { ?>
 <!-- spacer -->
 <tr>
 	<td class="spacer" colspan="6">&nbsp;</td>
 </tr>
+<?php } # custom fields found ?>
 
 
 <!-- Bugnote Text Box -->

bug_update_page.php

@@ -6,7 +6,7 @@
 	# See the README and LICENSE files for details
 
 	# --------------------------------------------------------
-	# $Id: bug_update_page.php,v 1.56 2003-02-21 00:32:37 vboctor Exp $
+	# $Id: bug_update_page.php,v 1.57 2003-02-23 14:18:00 vboctor Exp $
 	# --------------------------------------------------------
 ?>
 <?php
@@ -262,15 +262,19 @@
 </tr>
 
 
-<!-- Custom Fields -->
 <tr>
 	<td class="spacer" colspan="6">&nbsp;</td>
 </tr>
+
+
+<!-- Custom Fields -->
 <?php
+	$t_custom_fields_found = false;
 	$t_related_custom_field_ids = custom_field_get_linked_ids( helper_get_current_project() );
 	foreach( $t_related_custom_field_ids as $t_id ) {
 		$t_def = custom_field_get_definition( $t_id );
-		if( !$t_def['advanced'] ) {
+		if( !$t_def['advanced'] && custom_field_has_write_access( $t_id, $f_bug_id ) ) {
+			$t_custom_fields_found = true;
 ?>
 <tr <?php echo helper_alternate_class() ?>>
 	<td class="category">
@@ -288,11 +292,12 @@
 ?>
 
 
+<?php if ( $t_custom_fields_found ) { ?>
 <!-- spacer -->
 <tr>
 	<td class="spacer" colspan="6">&nbsp;</td>
 </tr>
-
+<?php } # custom fields found ?>
 
 <!-- Bugnote Text Box -->
 <tr <?php echo helper_alternate_class() ?>>

bug_view_advanced_page.php

@@ -6,7 +6,7 @@
 	# See the README and LICENSE files for details
 
 	# --------------------------------------------------------
-	# $Id: bug_view_advanced_page.php,v 1.40 2003-02-21 00:32:37 vboctor Exp $
+	# $Id: bug_view_advanced_page.php,v 1.41 2003-02-23 14:18:00 vboctor Exp $
 	# --------------------------------------------------------
 ?>
 <?php
@@ -356,14 +356,22 @@
 </tr>
 
 
-<!-- Custom Fields -->
 <!-- spacer -->
 <tr height="5" class="spacer">
 	<td colspan="6"></td>
 </tr>
+
+
+<!-- Custom Fields -->
 <?php
+	$t_custom_fields_found = false;
 	$t_related_custom_field_ids = custom_field_get_linked_ids( helper_get_current_project() );
 	foreach( $t_related_custom_field_ids as $t_id ) {
+		if ( !custom_field_has_read_access( $t_id, $f_bug_id ) ) {
+			continue;			
+		} # has read access
+
+		$t_custom_fields_found = true;
 		$t_def = custom_field_get_definition( $t_id );
 ?>
 	<tr <?php echo helper_alternate_class() ?>>
@@ -385,11 +393,12 @@
 	} # foreach
 ?>
 
-
+<?php if ( $t_custom_fields_found ) { ?>
 <!-- spacer -->
 <tr height="5" class="spacer">
 	<td colspan="6"></td>
 </tr>
+<?php } # custom fields found ?>
 
 
 <!-- Attachments -->

bug_view_page.php

@@ -6,7 +6,7 @@
 	# See the README and LICENSE files for details
 
 	# --------------------------------------------------------
-	# $Id: bug_view_page.php,v 1.41 2003-02-21 00:32:38 vboctor Exp $
+	# $Id: bug_view_page.php,v 1.42 2003-02-23 14:18:00 vboctor Exp $
 	# --------------------------------------------------------
 ?>
 <?php
@@ -270,16 +270,20 @@
 </tr>
 
 
-<!-- Custom Fields -->
 <!-- spacer -->
 <tr height="5" class="spacer">
 	<td colspan="6"></td>
 </tr>
+
+
+<!-- Custom Fields -->
 <?php
+	$t_custom_fields_found = false;
 	$t_related_custom_field_ids = custom_field_get_linked_ids( helper_get_current_project() );
 	foreach( $t_related_custom_field_ids as $t_id ) {
-		$t_def = custom_field_get_definition( $t_id );
-		if( !$t_def['advanced'] ) {
+		if( !$t_def['advanced'] && custom_field_has_read_access( $t_id, $f_bug_id ) ) {
+			$t_def = custom_field_get_definition( $t_id );
+			$t_custom_fields_found = true;
 ?>
 	<tr <?php echo helper_alternate_class() ?>>
 		<td class="category">
@@ -297,15 +301,17 @@
 		</td>
 	</tr>
 <?php
-		} # !$t_def['advanced']
+		} # !$t_def['advanced'] && has read access
 	} # foreach
 ?>
 
 
+<?php if ( $t_custom_fields_found ) { ?>
 <!-- spacer -->
 <tr height="5" class="spacer">
 	<td colspan="6"></td>
 </tr>
+<?php } # custom fields found ?>
 
 
 <!-- Attachments -->

core/custom_field_api.php

@@ -6,7 +6,7 @@
 	# See the README and LICENSE files for details
 
 	# --------------------------------------------------------
-	# $Id: custom_field_api.php,v 1.18 2003-02-23 13:16:36 vboctor Exp $
+	# $Id: custom_field_api.php,v 1.19 2003-02-23 14:18:00 vboctor Exp $
 	# --------------------------------------------------------
 
 	$t_core_dir = dirname( __FILE__ ).DIRECTORY_SEPARATOR;
@@ -172,9 +172,13 @@ function custom_field_ensure_name_unique( $p_name ) {
 	# --------------------
 	# Return true if the user can read the value of the field for the given bug,
 	#  false otherwise.
-	function custom_field_has_read_access( $p_field_id, $p_bug_id, $p_user_id ) {
+	function custom_field_has_read_access( $p_field_id, $p_bug_id, $p_user_id = null ) {
 		custom_field_ensure_exists( $p_field_id );
 
+		if ( null === $p_user_id ) {
+			$p_user_id = auth_get_current_user_id();
+		}
+
 		$t_access_level_r = custom_field_get_field( $p_field_id, 'access_level_r' );
 
 		$t_project_id = bug_get_field( $p_bug_id, 'project_id' );
@@ -187,22 +191,32 @@ function custom_field_has_read_access( $p_field_id, $p_bug_id, $p_user_id ) {
 	}
 
 	# --------------------
-	# Return true if the user can modify the value of the field for the given bug,
+	# Return true if the user can modify the value of the field for the given project,
 	#  false otherwise.
-	function custom_field_has_write_access( $p_field_id, $p_bug_id, $p_user_id ) {
+	function custom_field_has_write_access_to_project( $p_field_id, $p_project_id, $p_user_id = null ) {
 		custom_field_ensure_exists( $p_field_id );
 
-		$t_access_level_rw = custom_field_get_field( $p_field_id, 'access_level_rw' );
+		if ( null === $p_user_id ) {
+			$p_user_id = auth_get_current_user_id();
+		}
 
-		$t_project_id = bug_get_field( $p_bug_id, 'project_id' );
+		$t_access_level_rw = custom_field_get_field( $p_field_id, 'access_level_rw' );
 
-		if ( user_get_access_level( $p_user_id, $t_project_id ) >= $t_access_level_rw ) {
+		if ( user_get_access_level( $p_user_id, $p_project_id ) >= $t_access_level_rw ) {
 			return true;
 		} else {
 			return false;
 		}
 	}
 
+	# --------------------
+	# Return true if the user can modify the value of the field for the given bug,
+	#  false otherwise.
+	function custom_field_has_write_access( $p_field_id, $p_bug_id, $p_user_id = null ) {
+		$t_project_id = bug_get_field( $p_bug_id, 'project_id' );
+		return ( custom_field_has_write_access_to_project( $p_field_id, $t_project_id, $p_user_id ) );
+	}
+
 	#===================================
 	# Creation / Deletion / Updating
 	#===================================
@@ -671,7 +685,7 @@ function custom_field_set_value( $p_field_id, $p_bug_id, $p_value ) {
 			return false;
 		}
 
-		if( !custom_field_has_read_access( $p_field_id, $p_bug_id, auth_get_current_user_id() ) ) {
+		if( !custom_field_has_write_access( $p_field_id, $p_bug_id, auth_get_current_user_id() ) ) {
 			return false;
 		}
 

doc/ChangeLog

@@ -28,6 +28,7 @@ Mantis ChangeLog
  * Fix #2980: Escaping fixes are not applied to the bug history table.
  * Fix #2982: Having email_set_category set to EMAIL_CATEGORY_PROJECT_CATEGORY erased various mail headers.
  * Fix #2989: Allow managers to manage bugnotes.
+ * Fix #2993: Read/Write access levels not checked in custom fields.
  * DB Upgrade: Added "id" primary key to bug history table.
  * Languages: Updated German localisation.
  * Changed confit option (default_notify_flags): remove 'admin', 'manager', and 'threshold' categories and add 'threshold_min' and 'threshold_max'