View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0012553 | mantisbt | attachments | public | 2010-11-23 10:18 | 2011-04-05 14:23 |
Reporter | frodgers | Assigned To | dhx | ||
Priority | normal | Severity | tweak | Reproducibility | always |
Status | closed | Resolution | fixed | ||
Product Version | 1.2.3 | ||||
Target Version | 1.2.5 | Fixed in Version | 1.2.5 | ||
Summary | 0012553: Mantis user can not delete their own attachments | ||||
Description | The current configuration of Mantis allows attachments be deleted from a bug under the following circumstances: I have made changes that now allow an attachment to be removed under the following circumstances: | ||||
Additional Information | I've included the patch. | ||||
Tags | patch | ||||
Attached Files | delete_attachment.patch (2,628 bytes)
From 8fbdd8efb11425126ae90f04fad581effaf0848d Mon Sep 17 00:00:00 2001 From: Frank Rodgers <frodgers@redcom.com> Date: Tue, 23 Nov 2010 09:54:58 -0500 Subject: [PATCH] See TR 14480, user was not able to delete their own attachments even though 'allow_delete_own_attachments' was ON. --- core/bug_api.php | 2 +- core/file_api.php | 15 +++++++++++++-- 2 files changed, 14 insertions(+), 3 deletions(-) diff --git a/core/bug_api.php b/core/bug_api.php index 993783b..7f52857 100644 --- a/core/bug_api.php +++ b/core/bug_api.php @@ -1393,7 +1393,7 @@ function bug_get_attachments( $p_bug_id ) { $t_bug_file_table = db_get_table( 'mantis_bug_file_table' ); - $query = "SELECT id, title, diskfile, filename, filesize, file_type, date_added + $query = "SELECT id, title, diskfile, filename, filesize, file_type, date_added, user_id FROM $t_bug_file_table WHERE bug_id=" . db_param() . " ORDER BY date_added"; diff --git a/core/file_api.php b/core/file_api.php index 7221622..bfec054 100644 --- a/core/file_api.php +++ b/core/file_api.php @@ -146,6 +146,18 @@ function file_can_delete_bug_attachments( $p_bug_id ) { return $t_can_download; } +function file_can_delete_own_attachments( $p_user_id, $p_bug_id ) { + + $t_uploaded_by_me = ( auth_get_current_user_id() == $p_user_id ) ? true : false; + + $t_can_delete = access_has_bug_level( config_get( 'delete_attachments_threshold' ), $p_bug_id ); + + $t_can_delete = $t_can_delete || ( $t_uploaded_by_me && config_get( 'allow_delete_own_attachments' ) ); + + return $t_can_delete; + +} + # Get icon corresponding to the specified filename # returns an associative array with "url" and "alt" text. function file_get_icon_url( $p_display_filename ) { @@ -266,7 +278,6 @@ function file_get_visible_attachments( $p_bug_id ) { $t_attachments = array(); $t_can_download = file_can_download_bug_attachments( $p_bug_id ); - $t_can_delete = file_can_delete_bug_attachments( $p_bug_id ); $t_preview_text_ext = config_get( 'preview_text_extensions' ); $t_preview_image_ext = config_get( 'preview_image_extensions' ); @@ -298,7 +309,7 @@ function file_get_visible_attachments( $p_bug_id ) { $t_attachment['exists'] = config_get( 'file_upload_method' ) != DISK || file_exists( $t_diskfile ); $t_attachment['icon'] = file_get_icon_url( $t_attachment['display_name'] ); - $t_attachment['can_delete'] = $t_can_delete; + $t_attachment['can_delete'] = file_can_delete_own_attachments( $t_row['user_id'], $p_bug_id ); $t_attachment['preview'] = false; $t_attachment['type'] = ''; -- 1.6.0.4 | ||||
has duplicate | 0008134 | closed | it's not possible to delete own attachments |
Thanks Frank for the bug report and your initial patch. I have committed a patch of my own to solve the issue as I discovered these issues extended deeper into MantisBT's code (relating to viewing and downloading attachments too). I'd appreciate any testing that you may be able to perform with the latest changes to ensure it works as expected for you. My own testing showed that the latest changes work as intended :) |
|
MantisBT: master b41af6ed 2010-12-25 02:51 Details Diff |
Fix 0012553: Improve handling of allow_*_own_attachments options There exists three existing options to allow users to view, download and delete their own attachments only (if they don't have wider permission to view, download and delete ANY attachment within a project). These options are: $g_allow_view_own_attachments $g_allow_download_own_attachments $g_allow_delete_own_attachments These options were not being factored into access checks correctly. Instead of checking who uploaded the attachment we were checking whether the current user is the reporter of the issue.... sometimes. It is important to note that the bug_get_attachments() function in bug_api.php no longer performs any access checks. It is up to the caller to filter the attachments and validate access permissions. Use file_get_visible_attachments() from file_api.php instead if you want to get a filtered list of attachments that factors in access levels. Thank you to Frank Rodgers for an intial patch and ideas on how to improve the handling of these options. |
Affected Issues 0012553 |
|
mod - api/soap/mc_issue_api.php | Diff File | ||
mod - file_download.php | Diff File | ||
mod - core/columns_api.php | Diff File | ||
mod - bug_view_inc.php | Diff File | ||
mod - core/file_api.php | Diff File | ||
mod - core/bug_api.php | Diff File | ||
mod - my_view_inc.php | Diff File | ||
MantisBT: master-1.2.x 5e8e7e26 2010-12-25 02:51 Details Diff |
Fix 0012553: Improve handling of allow_*_own_attachments options There exists three existing options to allow users to view, download and delete their own attachments only (if they don't have wider permission to view, download and delete ANY attachment within a project). These options are: $g_allow_view_own_attachments $g_allow_download_own_attachments $g_allow_delete_own_attachments These options were not being factored into access checks correctly. Instead of checking who uploaded the attachment we were checking whether the current user is the reporter of the issue.... sometimes. It is important to note that the bug_get_attachments() function in bug_api.php no longer performs any access checks. It is up to the caller to filter the attachments and validate access permissions. Use file_get_visible_attachments() from file_api.php instead if you want to get a filtered list of attachments that factors in access levels. Thank you to Frank Rodgers for an intial patch and ideas on how to improve the handling of these options. |
Affected Issues 0012553 |
|
mod - core/bug_api.php | Diff File | ||
mod - core/columns_api.php | Diff File | ||
mod - core/file_api.php | Diff File | ||
mod - bug_view_inc.php | Diff File | ||
mod - my_view_inc.php | Diff File | ||
mod - api/soap/mc_issue_api.php | Diff File | ||
mod - file_download.php | Diff File |