From ed9abc6cda3501f19a5624ea37de7abcdd3e7afc Mon Sep 17 00:00:00 2001
From: Rolf Kleef <rolf@drostan.org>
Date: Fri, 11 Jun 2010 19:43:04 +0200
Subject: [PATCH] Fix overwriting files and setting file permissions - 0007176 and others

---
 admin/move_db2disk.php |   29 ++++++++++++++++++++++++++---
 1 files changed, 26 insertions(+), 3 deletions(-)

diff --git a/admin/move_db2disk.php b/admin/move_db2disk.php
index 605ec53..a09a36d 100644
--- a/admin/move_db2disk.php
+++ b/admin/move_db2disk.php
@@ -113,15 +113,36 @@ function upgrade_move_att2disk( $p_source ) {
 		if( $p_source == 'attachment' ) {
 			$t_project_id = bug_get_field( $t_row['bug_id'], 'project_id' );
 			$t_bug_id = $t_row['bug_id'];
+			// taken from file_api.php file_add(): TRUE value of
+			// $t_file_hash = ( 'bug' == $p_table ) ? $t_bug_id : config_get( 'document_files_prefix' ) . '-' . $t_project_id;
+			$t_file_hash = $t_bug_id;
 		} else {
 			$t_project_id = (int) $t_row['project_id'];
 			$t_bug_id = $t_project_id;
+			// taken from file_api.php file_add(): FALSE value of
+			// $t_file_hash = ( 'bug' == $p_table ) ? $t_bug_id : config_get( 'document_files_prefix' ) . '-' . $t_project_id;
+			$t_file_hash = config_get( 'document_files_prefix' ) . '-' . $t_project_id;
 		}
 
+		$t_file_name = $t_row['filename'];
+
+		// create unique name: taken from file_api.php file_add():
 		$t_file_path = project_get_field( $t_project_id, 'file_path' );
+		if( $t_file_path == '' ) {
+			$t_file_path = config_get( 'absolute_path_default_upload_folder' );
+		}
+
+		$t_unique_name = file_generate_unique_name( $t_file_hash . '-' . $t_file_name, $t_file_path );
+		// $t_disk_file_name seems not needed?
+		//$t_disk_file_name = $t_file_path . $t_unique_name;
+		$c_unique_name = db_prepare_string( $t_unique_name );
+		// end part from file_add()
+
+		// file_add() seems to not use this way to get the absolute prefix?
 		$prefix = get_prefix( $t_file_path );
 		$t_real_file_path = $prefix . $t_file_path;
-		$c_filename = file_clean_name( $t_row['filename'] );
+		// changed $c_filename into $c_unique_name in rest of function
+		// $c_filename = file_clean_name( $t_row['filename'] );
 
 		printf( "\n<tr %s><td>%8d</td><td>%s</td><td>", helper_alternate_class(), $t_bug_id, $t_row['filename'] );
 
@@ -129,13 +150,15 @@ function upgrade_move_att2disk( $p_source ) {
 			echo 'Destination ' . $t_real_file_path . ' not writable';
 			$t_failures++;
 		} else {
-			$t_file_name = $t_real_file_path . $c_filename;
+			$t_file_name = $t_real_file_path . $c_unique_name;
 
 			// write file to disk store after adjusting the path
 			if( file_put_contents( $t_file_name, $t_row['content'] ) ) {
+				chmod( $t_file_name, config_get( 'attachments_file_permissions' ) );
+
 				// successful, update database
 				/** @todo do we want to check the size of data transfer matches here? */
-				$c_new_file_name = $t_file_path . $c_filename;
+				$c_new_file_name = $t_file_path . $c_unique_name;
 				$query2 = "UPDATE $t_file_table SET diskfile = " . db_param() . ",
 						folder = " . db_param() . ", content = '' WHERE id = " . db_param();
 				$update = @db_query_bound( $query2, Array( $c_new_file_name, $t_file_path, $t_row['id'] ) );
-- 
1.7.0.4