From 8fbdd8efb11425126ae90f04fad581effaf0848d Mon Sep 17 00:00:00 2001 From: Frank Rodgers Date: Tue, 23 Nov 2010 09:54:58 -0500 Subject: [PATCH] See TR 14480, user was not able to delete their own attachments even though 'allow_delete_own_attachments' was ON. --- core/bug_api.php | 2 +- core/file_api.php | 15 +++++++++++++-- 2 files changed, 14 insertions(+), 3 deletions(-) diff --git a/core/bug_api.php b/core/bug_api.php index 993783b..7f52857 100644 --- a/core/bug_api.php +++ b/core/bug_api.php @@ -1393,7 +1393,7 @@ function bug_get_attachments( $p_bug_id ) { $t_bug_file_table = db_get_table( 'mantis_bug_file_table' ); - $query = "SELECT id, title, diskfile, filename, filesize, file_type, date_added + $query = "SELECT id, title, diskfile, filename, filesize, file_type, date_added, user_id FROM $t_bug_file_table WHERE bug_id=" . db_param() . " ORDER BY date_added"; diff --git a/core/file_api.php b/core/file_api.php index 7221622..bfec054 100644 --- a/core/file_api.php +++ b/core/file_api.php @@ -146,6 +146,18 @@ function file_can_delete_bug_attachments( $p_bug_id ) { return $t_can_download; } +function file_can_delete_own_attachments( $p_user_id, $p_bug_id ) { + + $t_uploaded_by_me = ( auth_get_current_user_id() == $p_user_id ) ? true : false; + + $t_can_delete = access_has_bug_level( config_get( 'delete_attachments_threshold' ), $p_bug_id ); + + $t_can_delete = $t_can_delete || ( $t_uploaded_by_me && config_get( 'allow_delete_own_attachments' ) ); + + return $t_can_delete; + +} + # Get icon corresponding to the specified filename # returns an associative array with "url" and "alt" text. function file_get_icon_url( $p_display_filename ) { @@ -266,7 +278,6 @@ function file_get_visible_attachments( $p_bug_id ) { $t_attachments = array(); $t_can_download = file_can_download_bug_attachments( $p_bug_id ); - $t_can_delete = file_can_delete_bug_attachments( $p_bug_id ); $t_preview_text_ext = config_get( 'preview_text_extensions' ); $t_preview_image_ext = config_get( 'preview_image_extensions' ); @@ -298,7 +309,7 @@ function file_get_visible_attachments( $p_bug_id ) { $t_attachment['exists'] = config_get( 'file_upload_method' ) != DISK || file_exists( $t_diskfile ); $t_attachment['icon'] = file_get_icon_url( $t_attachment['display_name'] ); - $t_attachment['can_delete'] = $t_can_delete; + $t_attachment['can_delete'] = file_can_delete_own_attachments( $t_row['user_id'], $p_bug_id ); $t_attachment['preview'] = false; $t_attachment['type'] = ''; -- 1.6.0.4