Hide 'View Revisions' if user has no access

Do not display the 'View Revisions' link to the user if they are not allowed to see it, both when displaying bugnotes and in bug history. Added $p_bug_id parameter to history_localize_item() function, it is needed to call access_can_view_revisions(). Adapted mci_issue_get_history() and email_format_bug_message() to use the new function signature. Fixes #20690
mantisbt · Dec 30, 2020 · 57e9b01 · 57e9b01
1 parent c9a8aca
commit 57e9b01
Show file tree

Hide file tree

Showing 4 changed files with 49 additions and 52 deletions.
diff --git a/api/soap/mc_issue_api.php b/api/soap/mc_issue_api.php
@@ -305,11 +305,13 @@ function mci_issue_get_history( $p_issue_id, $p_user_id, $p_lang ) {
 		}
 
 		$t_localized_row = history_localize_item(
+			$p_issue_id,
 			$t_history_row['field'],
 			$t_history_row['type'],
 			$t_history_row['old_value'],
 			$t_history_row['new_value'],
-			false );
+			false
+		);
 
 		$t_event['message'] = $t_localized_row['note'];
 

diff --git a/bugnote_view_inc.php b/bugnote_view_inc.php
@@ -189,9 +189,10 @@
 		<?php
 		if( $t_activity['modified'] ) {
 			echo '<p class="no-margin small lighter"><i class="fa fa-retweet"></i> ' . lang_get( 'last_edited') . lang_get( 'word_separator' ) . date( $t_normal_date_format, $t_activity['last_modified'] ) . '</p>';
-			$t_revision_count = bug_revision_count( $f_bug_id, REV_BUGNOTE, $t_activity['id'] );
-			if( $t_revision_count >= 1 ) {
-				$t_view_num_revisions_text = sprintf( lang_get( 'view_num_revisions' ), $t_revision_count );
+			if( access_can_view_bugnote_revisions( $t_activity['id'] ) ) {
+				$t_revision_count = bug_revision_count( $f_bug_id, REV_BUGNOTE, $t_activity['id'] );
+				if( $t_revision_count >= 1 ) {
+					$t_view_num_revisions_text = sprintf( lang_get( 'view_num_revisions' ), $t_revision_count );
 ?>
 		<p class="no-margin">
 			<span class="small bugnote-revisions-link">

diff --git a/core/email_api.php b/core/email_api.php
@@ -1837,7 +1837,14 @@ function email_format_bug_message( array $p_visible_bug_data ) {
 		$t_message .= $t_email_separator1 . " \n";
 
 		foreach( $p_visible_bug_data['history'] as $t_raw_history_item ) {
-			$t_localized_item = history_localize_item( $t_raw_history_item['field'], $t_raw_history_item['type'], $t_raw_history_item['old_value'], $t_raw_history_item['new_value'], false );
+			$t_localized_item = history_localize_item(
+				$t_raw_history_item['bug_id'],
+				$t_raw_history_item['field'],
+				$t_raw_history_item['type'],
+				$t_raw_history_item['old_value'],
+				$t_raw_history_item['new_value'],
+				false
+			);
 
 			$t_message .= utf8_str_pad( date( $t_normal_date_format, $t_raw_history_item['date'] ), 17 ) . utf8_str_pad( $t_raw_history_item['username'], 15 ) . utf8_str_pad( $t_localized_item['note'], 25 ) . utf8_str_pad( $t_localized_item['change'], 20 ) . "\n";
 		}

diff --git a/core/history_api.php b/core/history_api.php
@@ -172,7 +172,7 @@ function history_get_events_array( $p_bug_id, $p_user_id = null ) {
 		 * @var int $v_date
 		 */
 		extract( $t_item, EXTR_PREFIX_ALL, 'v' );
-		$t_history[$k] = history_localize_item( $v_field, $v_type, $v_old_value, $v_new_value );
+		$t_history[$k] = history_localize_item( $p_bug_id, $v_field, $v_type, $v_old_value, $v_new_value );
 		$t_history[$k]['date'] = date( $t_normal_date_format, $v_date );
 		$t_history[$k]['userid'] = $v_userid;
 		$t_history[$k]['username'] = $v_username;
@@ -474,6 +474,12 @@ function history_get_event_from_row( $p_result, $p_user_id = null, $p_check_acce
 			}
 		}
 
+		if( $v_type == BUG_REVISION_DROPPED || $v_type == BUGNOTE_REVISION_DROPPED ) {
+			if( !access_can_view_bug_revisions( $v_bug_id ) ) {
+				continue;
+			}
+		}
+
 		$t_event = array();
 		$t_event['bug_id'] = $v_bug_id;
 		$t_event['date'] = $v_date_modified;
@@ -727,16 +733,18 @@ function history_get_type_name( $p_type ) {
 }
 
 /**
- * Localizes one raw history item specified by set the next parameters: $p_field_name, $p_type, $p_old_value, $p_new_value
- * Returns array with two elements indexed as 'note' and 'change'
+ * Localizes one raw history item.
+ *
+ * @param int     $p_bug_id     Parent bug id
  * @param string  $p_field_name The field name of the field being localized.
  * @param integer $p_type       The type of the history entry.
  * @param string  $p_old_value  The old value of the field.
  * @param string  $p_new_value  The new value of the field.
  * @param boolean $p_linkify    Whether to return a string containing hyperlinks.
- * @return array
+ *
+ * @return array with two elements indexed as 'note' and 'change'
  */
-function history_localize_item( $p_field_name, $p_type, $p_old_value, $p_new_value, $p_linkify = true ) {
+function history_localize_item( $p_bug_id, $p_field_name, $p_type, $p_old_value, $p_new_value, $p_linkify = true ) {
 	$t_note = '';
 	$t_change = '';
 	$t_raw = true;
@@ -751,36 +759,15 @@ function history_localize_item( $p_field_name, $p_type, $p_old_value, $p_new_val
 	$t_field_localized = history_localize_field_name( $p_field_name );
 	switch( $p_field_name ) {
 		case 'status':
-			$p_old_value = get_enum_element( 'status', $p_old_value );
-			$p_new_value = get_enum_element( 'status', $p_new_value );
-			break;
 		case 'severity':
-			$p_old_value = get_enum_element( 'severity', $p_old_value );
-			$p_new_value = get_enum_element( 'severity', $p_new_value );
-			break;
 		case 'reproducibility':
-			$p_old_value = get_enum_element( 'reproducibility', $p_old_value );
-			$p_new_value = get_enum_element( 'reproducibility', $p_new_value );
-			break;
 		case 'resolution':
-			$p_old_value = get_enum_element( 'resolution', $p_old_value );
-			$p_new_value = get_enum_element( 'resolution', $p_new_value );
-			break;
 		case 'priority':
-			$p_old_value = get_enum_element( 'priority', $p_old_value );
-			$p_new_value = get_enum_element( 'priority', $p_new_value );
-			break;
 		case 'eta':
-			$p_old_value = get_enum_element( 'eta', $p_old_value );
-			$p_new_value = get_enum_element( 'eta', $p_new_value );
-			break;
 		case 'view_state':
-			$p_old_value = get_enum_element( 'view_state', $p_old_value );
-			$p_new_value = get_enum_element( 'view_state', $p_new_value );
-			break;
 		case 'projection':
-			$p_old_value = get_enum_element( 'projection', $p_old_value );
-			$p_new_value = get_enum_element( 'projection', $p_new_value );
+			$p_old_value = get_enum_element( $p_field_name, $p_old_value );
+			$p_new_value = get_enum_element( $p_field_name, $p_new_value );
 			break;
 		case 'sticky':
 			$p_old_value = gpc_string_to_bool( $p_old_value ) ? lang_get( 'yes' ) : lang_get( 'no' );
@@ -853,7 +840,10 @@ function history_localize_item( $p_field_name, $p_type, $p_old_value, $p_new_val
 				$t_note = lang_get( 'bugnote_edited' ) . ': ' . $p_old_value;
 				$t_old_value = (int)$p_old_value;
 				$t_new_value = (int)$p_new_value;
-				if( $p_linkify && bug_revision_exists( $t_new_value ) ) {
+				if( $p_linkify
+					&& bug_revision_exists( $t_new_value )
+					&& access_can_view_bugnote_revisions( $t_old_value )
+				) {
 					if( bugnote_exists( $t_old_value ) ) {
 						$t_bug_revision_view_page_argument = 'bugnote_id=' . $t_old_value . '#r' . $t_new_value;
 					} else {
@@ -868,27 +858,24 @@ function history_localize_item( $p_field_name, $p_type, $p_old_value, $p_new_val
 				$t_note = lang_get( 'bugnote_deleted' ) . ': ' . $p_old_value;
 				break;
 			case DESCRIPTION_UPDATED:
-				$t_note = lang_get( 'description_updated' );
-				$t_old_value = (int)$p_old_value;
-				if( $p_linkify && bug_revision_exists( $t_old_value ) ) {
-					$t_change = '<a href="bug_revision_view_page.php?rev_id=' . $t_old_value . '#r' . $t_old_value . '">' .
-						lang_get( 'view_revisions' ) . '</a>';
-					$t_raw = false;
-				}
-				break;
+			case STEP_TO_REPRODUCE_UPDATED:
 			case ADDITIONAL_INFO_UPDATED:
-				$t_note = lang_get( 'additional_information_updated' );
-				$t_old_value = (int)$p_old_value;
-				if( $p_linkify && bug_revision_exists( $t_old_value ) ) {
-					$t_change = '<a href="bug_revision_view_page.php?rev_id=' . $t_old_value . '#r' . $t_old_value . '">' .
-						lang_get( 'view_revisions' ) . '</a>';
-					$t_raw = false;
+				switch( $p_type ) {
+					case DESCRIPTION_UPDATED:
+						$t_note = lang_get( 'description_updated' );
+						break;
+					case STEP_TO_REPRODUCE_UPDATED:
+						$t_note = lang_get( 'steps_to_reproduce_updated' );
+						break;
+					case ADDITIONAL_INFO_UPDATED:
+						$t_note = lang_get( 'additional_information_updated' );
+						break;
 				}
-				break;
-			case STEP_TO_REPRODUCE_UPDATED:
-				$t_note = lang_get( 'steps_to_reproduce_updated' );
 				$t_old_value = (int)$p_old_value;
-				if( $p_linkify && bug_revision_exists( $t_old_value ) ) {
+				if( $p_linkify
+					&& bug_revision_exists( $t_old_value )
+					&& access_can_view_bug_revisions( $p_bug_id )
+				) {
 					$t_change = '<a href="bug_revision_view_page.php?rev_id=' . $t_old_value . '#r' . $t_old_value . '">' .
 						lang_get( 'view_revisions' ) . '</a>';
 					$t_raw = false;