Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Fix #12553: Improve handling of allow_*_own_attachments options
There exists three existing options to allow users to view, download and delete their own attachments only (if they don't have wider permission to view, download and delete ANY attachment within a project). These options are: $g_allow_view_own_attachments $g_allow_download_own_attachments $g_allow_delete_own_attachments These options were not being factored into access checks correctly. Instead of checking who uploaded the attachment we were checking whether the current user is the reporter of the issue.... sometimes. It is important to note that the bug_get_attachments() function in bug_api.php no longer performs any access checks. It is up to the caller to filter the attachments and validate access permissions. Use file_get_visible_attachments() from file_api.php instead if you want to get a filtered list of attachments that factors in access levels. Thank you to Frank Rodgers for an intial patch and ideas on how to improve the handling of these options.
- Loading branch information
1 parent
bbcf0de
commit b41af6e
Showing
7 changed files
with
33 additions
and
37 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters