Fix #14015: attachment deletion: remove update_bug_threshold check

davidhicks · davidhicks · commit 628e93708fa7 · 2012-06-02T21:41:44.000+10:00
As reported by Roland Becker (MantisBT developer):

Although configuration option allow_delete_own_attachments is set to ON
reporters cannot delete their own attachments. After pushing the delete
button you get "Access Denied"

Issue #14016 implemented correct attachment deletion access control
checks against delete_attachments_threshold. We should be using this
threshold instead of update_bug_threshold because attachments aren't
linked to the core fields of an issue -- they are frequently related to
comments (bugnotes) provided by less privileged users.

$g_allow_delete_own_attachments should now work again... safely.

Conflicts:
	bug_file_delete.php
diff --git a/api/soap/mc_issue_attachment_api.php b/api/soap/mc_issue_attachment_api.php
@@ -71,11 +71,7 @@ function mc_issue_attachment_delete( $p_username, $p_password, $p_issue_attachme
 
 	$t_bug_id = file_get_field( $p_issue_attachment_id, 'bug_id' );
 
-	# Check access against update_bug_threshold
-	if( !access_has_bug_level( config_get( 'update_bug_threshold' ), $t_bug_id, $t_user_id ) ) {
-		return mci_soap_fault_access_denied( $t_user_id );
-	}
-
+	# Perform access control checks
 	$t_attachment_owner = file_get_field( $f_file_id, 'user_id' );
 	$t_current_user_is_attachment_owner = $t_attachment_owner == $t_user_id;
 	# Factor in allow_delete_own_attachments=ON|OFF
diff --git a/bug_file_delete.php b/bug_file_delete.php
@@ -42,8 +42,6 @@
 		$g_project_override = $t_bug->project_id;
 	}
 
-	access_ensure_bug_level( config_get( 'update_bug_threshold' ), $t_bug_id );
-
 	$t_attachment_owner = file_get_field( $f_file_id, 'user_id' );
 	$t_current_user_is_attachment_owner = $t_attachment_owner == auth_get_current_user_id();
 	if ( !$t_current_user_is_attachment_owner || ( $t_current_user_is_attachment_owner && !config_get( 'allow_delete_own_attachments' ) ) ) {

Original file line number	Diff line number	Diff line change
`@@ -42,8 +42,6 @@`
`42`	`42`	`$g_project_override = $t_bug->project_id;`
`43`	`43`	`}`
`44`	`44`
`45`		`- access_ensure_bug_level( config_get( 'update_bug_threshold' ), $t_bug_id );`
`46`		`-`
`47`	`45`	`$t_attachment_owner = file_get_field( $f_file_id, 'user_id' );`
`48`	`46`	`$t_current_user_is_attachment_owner = $t_attachment_owner == auth_get_current_user_id();`
`49`	`47`	`if ( !$t_current_user_is_attachment_owner \|\| ( $t_current_user_is_attachment_owner && !config_get( 'allow_delete_own_attachments' ) ) ) {`