From 866a78c908dff1b080b239d6396cf93d966157e3 Mon Sep 17 00:00:00 2001 From: hyung-hwan Date: Wed, 30 Dec 2015 08:20:20 +0000 Subject: [PATCH] fixed a permission problem in issum management --- codepot/src/codepot/controllers/issue.php | 46 +++++++++++++++-------- codepot/src/codepot/models/issuemodel.php | 18 +++++++-- codepot/src/codepot/views/issue_show.php | 5 +-- 3 files changed, 48 insertions(+), 21 deletions(-) diff --git a/codepot/src/codepot/controllers/issue.php b/codepot/src/codepot/controllers/issue.php index 7c0b52fa..c77a9773 100644 --- a/codepot/src/codepot/controllers/issue.php +++ b/codepot/src/codepot/controllers/issue.php @@ -545,11 +545,13 @@ DEPRECATED { $status = "error - no such project {$projectid}"; } - else if (!$login['sysadmin?'] && - $this->projects->projectHasMember($projectid, $login['id']) === FALSE) - { - $status = "error - not a member {$login['id']}"; - } + // By default, any logged-in user can create an issue. + // TODO: add a project option to accept an issue from anonymous users, logged-in users or just members. + //else if (!$login['sysadmin?'] && + // $this->projects->projectHasMember($projectid, $login['id']) === FALSE) + //{ + // $status = "error - not a member {$login['id']}"; + //} else { $issue = new stdClass(); @@ -629,7 +631,7 @@ DEPRECATED print $status; } - function xhr_update ($projectid = '') + function xhr_update ($projectid = '', $issueid = '') { $this->load->model ('ProjectModel', 'projects'); $this->load->model ('IssueModel', 'issues'); @@ -644,6 +646,8 @@ DEPRECATED } else { + $issueid = $this->converter->HexToAscii ($issueid); + $project = $this->projects->get ($projectid); if ($project === FALSE) { @@ -653,16 +657,20 @@ DEPRECATED { $status = "error - no such project {$projectid}"; } + // By default, any logged-in user can edit an issue text. + // TODO: add a project option to accept an issue from anonymous users, logged-in users or just members. else if (!$login['sysadmin?'] && - $this->projects->projectHasMember($projectid, $login['id']) === FALSE) + $this->projects->projectHasMember($projectid, $login['id']) === FALSE && + ($issue = $this->issues->get ($login['id'], $project, $issueid)) !== FALSE && + $login['id'] != $issue->createdby) { - $status = "error - not a member {$login['id']}"; + $status = "error - not a member nor a creator - {$login['id']}"; } else { $issue = new stdClass(); $issue->projectid = $projectid; - $issue->id = $this->input->post('issue_edit_id'); + $issue->id = $issueid; $issue->summary = $this->input->post('issue_edit_summary'); $issue->description = $this->input->post('issue_edit_description'); //$issue->type = $this->input->post('issue_edit_type'); @@ -733,7 +741,7 @@ DEPRECATED else { $post_delete_confirm = $this->input->post('issue_delete_confirm'); - + if ($post_delete_confirm !== FALSE && $post_delete_confirm == 'Y') { if ($this->issues->deleteWithFiles ($login['id'], $projectid, $issueid) === FALSE) @@ -781,10 +789,14 @@ DEPRECATED { $status = "error - no such project {$projectid}"; } + // By default, any logged-in user can attach a file to an issue body. + // TODO: add a project option to accept an issue from anonymous users, logged-in users or just members. else if (!$login['sysadmin?'] && - $this->projects->projectHasMember($projectid, $login['id']) === FALSE) + $this->projects->projectHasMember($projectid, $login['id']) === FALSE && + ($issue = $this->issues->get ($login['id'], $project, $issueid)) !== FALSE && + $login['id'] != $issue->createdby) { - $status = "error - not a member {$login['id']}"; + $status = "error - not a member nor a creator - {$login['id']}"; } else { @@ -798,7 +810,7 @@ DEPRECATED $fid = "issue_add_file_{$i}"; if (array_key_exists($fid, $_FILES) && $_FILES[$fid]['name'] != '') { - $d = $this->input->post("file_add_file_desc_{$i}"); + $d = $this->input->post("issue_add_file_desc_{$i}"); if ($d === FALSE || ($d = trim($d)) == '') $d = ''; if (strpos($_FILES[$fid]['name'], ':') !== FALSE || @@ -859,10 +871,14 @@ DEPRECATED { $status = "error - no such project {$projectid}"; } + // By default, any logged-in user can edit attached files. + // TODO: add a project option to accept an issue from anonymous users, logged-in users or just members. else if (!$login['sysadmin?'] && - $this->projects->projectHasMember($projectid, $login['id']) === FALSE) + $this->projects->projectHasMember($projectid, $login['id']) === FALSE && + ($issue = $this->issues->get ($login['id'], $project, $issueid)) !== FALSE && + $login['id'] != $issue->createdby) { - $status = "error - not a member {$login['id']}"; + $status = "error - not a member nor a creator - {$login['id']}"; } else { diff --git a/codepot/src/codepot/models/issuemodel.php b/codepot/src/codepot/models/issuemodel.php index 5e4c160c..7bd704e9 100644 --- a/codepot/src/codepot/models/issuemodel.php +++ b/codepot/src/codepot/models/issuemodel.php @@ -593,6 +593,8 @@ class IssueModel extends Model function updateSummaryAndDescription ($userid, $issue) { // TODO: check if userid can do this.. + $this->db->trans_begin (); // manual transaction. not using trans_start(). + $this->db->trans_start (); $this->db->where ('projectid', $issue->projectid); $this->db->where ('id', $issue->id); @@ -601,6 +603,12 @@ class IssueModel extends Model $this->db->set ('updatedon', date('Y-m-d H:i:s')); $this->db->set ('updatedby', $userid); $this->db->update ('issue'); + if ($this->db->trans_status() === FALSE) + { + $this->errmsg = $this->db->_error_message(); + $this->db->trans_rollback (); + return FALSE; + } $this->db->set ('createdon', date('Y-m-d H:i:s')); $this->db->set ('type', 'issue'); @@ -609,10 +617,14 @@ class IssueModel extends Model $this->db->set ('userid', $userid); $this->db->set ('message', $issue->id); $this->db->insert ('log'); + if ($this->db->trans_status() === FALSE) + { + $this->errmsg = $this->db->_error_message(); + $this->db->trans_rollback (); + return FALSE; + } - $this->db->trans_complete (); - if ($this->db->trans_status() === FALSE) return FALSE; - + $this->db->trans_commit (); return $issue->id; } diff --git a/codepot/src/codepot/views/issue_show.php b/codepot/src/codepot/views/issue_show.php index 37df7027..55e807da 100644 --- a/codepot/src/codepot/views/issue_show.php +++ b/codepot/src/codepot/views/issue_show.php @@ -234,13 +234,12 @@ $(function () { var form_data = new FormData(); - form_data.append ('issue_edit_id', 'id; ?>'); form_data.append ('issue_edit_summary', $('#issue_show_mainarea_edit_summary').val()); form_data.append ('issue_edit_description', $('#issue_show_mainarea_edit_description').val()); $('#issue_show_mainarea_edit_form').dialog('disable'); $.ajax({ - url: codepot_merge_path('', 'id}"; ?>'), + url: codepot_merge_path('', 'id}/{$hex_issue_id}"; ?>'), type: 'POST', data: form_data, mimeType: 'multipart/form-data', @@ -787,7 +786,7 @@ $this->load->view ( htmlspecialchars($f->filename) ); - if (!empty($f->description)) printf ('- %s', htmlspecialchars($f->description)); + if (!empty($f->description)) printf (' - %s', htmlspecialchars($f->description)); print ''; } ?>