View Issue Details

WikiRelated ChangesetsJump to Notes
IDProjectCategoryView StatusDate SubmittedLast Update
0012553mantisbtattachmentspublic2010-11-23 10:182011-04-05 14:23
Reporterfrodgers Assigned Todhx  
PrioritynormalSeveritytweakReproducibilityalways
Status closedResolutionfixed 
Product Version1.2.3 
Target Version1.2.5Fixed in Version1.2.5 
Summary0012553: Mantis user can not delete their own attachments
Description

The current configuration of Mantis allows attachments be deleted from a bug under the following circumstances:
1) delete_attachments_threshold is met.
2) You created the report and allow_delete_own_attachments is ON.

I have made changes that now allow an attachment to be removed under the following circumstances:
1) delete_attachments_threshold is met.
2) You uploaded the attachment and allow_delete_own_attachments is ON
Checking is done file based so no other user can delete the original uploaders attachment unless they meet the delete_attachments_threshold.

Additional Information

I've included the patch.

Tagspatch
Attached Files
delete_attachment.patch (2,628 bytes)    
From 8fbdd8efb11425126ae90f04fad581effaf0848d Mon Sep 17 00:00:00 2001
From: Frank Rodgers <frodgers@redcom.com>
Date: Tue, 23 Nov 2010 09:54:58 -0500
Subject: [PATCH] See TR 14480, user was not able to delete their own attachments even though 'allow_delete_own_attachments' was ON.

---
 core/bug_api.php  |    2 +-
 core/file_api.php |   15 +++++++++++++--
 2 files changed, 14 insertions(+), 3 deletions(-)

diff --git a/core/bug_api.php b/core/bug_api.php
index 993783b..7f52857 100644
--- a/core/bug_api.php
+++ b/core/bug_api.php
@@ -1393,7 +1393,7 @@ function bug_get_attachments( $p_bug_id ) {
 
 	$t_bug_file_table = db_get_table( 'mantis_bug_file_table' );
 
-	$query = "SELECT id, title, diskfile, filename, filesize, file_type, date_added
+	$query = "SELECT id, title, diskfile, filename, filesize, file_type, date_added, user_id
 		                FROM $t_bug_file_table
 		                WHERE bug_id=" . db_param() . "
 		                ORDER BY date_added";
diff --git a/core/file_api.php b/core/file_api.php
index 7221622..bfec054 100644
--- a/core/file_api.php
+++ b/core/file_api.php
@@ -146,6 +146,18 @@ function file_can_delete_bug_attachments( $p_bug_id ) {
 	return $t_can_download;
 }
 
+function file_can_delete_own_attachments( $p_user_id, $p_bug_id ) {
+
+	$t_uploaded_by_me = ( auth_get_current_user_id() == $p_user_id ) ? true : false;
+
+	$t_can_delete = access_has_bug_level( config_get( 'delete_attachments_threshold' ), $p_bug_id );
+
+	$t_can_delete = $t_can_delete || ( $t_uploaded_by_me && config_get( 'allow_delete_own_attachments' ) );
+
+	return $t_can_delete;
+
+}
+
 # Get icon corresponding to the specified filename
 # returns an associative array with "url" and "alt" text.
 function file_get_icon_url( $p_display_filename ) {
@@ -266,7 +278,6 @@ function file_get_visible_attachments( $p_bug_id ) {
 	$t_attachments = array();
 
 	$t_can_download = file_can_download_bug_attachments( $p_bug_id );
-	$t_can_delete = file_can_delete_bug_attachments( $p_bug_id );
 	$t_preview_text_ext = config_get( 'preview_text_extensions' );
 	$t_preview_image_ext = config_get( 'preview_image_extensions' );
 
@@ -298,7 +309,7 @@ function file_get_visible_attachments( $p_bug_id ) {
 
 		$t_attachment['exists'] = config_get( 'file_upload_method' ) != DISK || file_exists( $t_diskfile );
 		$t_attachment['icon'] = file_get_icon_url( $t_attachment['display_name'] );
-		$t_attachment['can_delete'] = $t_can_delete;
+		$t_attachment['can_delete'] = file_can_delete_own_attachments( $t_row['user_id'], $p_bug_id );
 
 		$t_attachment['preview'] = false;
 		$t_attachment['type'] = '';
-- 
1.6.0.4
delete_attachment.patch (2,628 bytes)   

Relationships

has duplicate 0008134 closed it's not possible to delete own attachments 

Activities

dhx

dhx

2010-12-25 03:39

reporter   ~0027696

Thanks Frank for the bug report and your initial patch.

I have committed a patch of my own to solve the issue as I discovered these issues extended deeper into MantisBT's code (relating to viewing and downloading attachments too).

I'd appreciate any testing that you may be able to perform with the latest changes to ensure it works as expected for you. My own testing showed that the latest changes work as intended :)

Related Changesets

MantisBT: master b41af6ed

2010-12-25 02:51

dhx


Details Diff		 Fix 0012553: Improve handling of allow_*_own_attachments options

There exists three existing options to allow users to view, download and
delete their own attachments only (if they don't have wider permission
to view, download and delete ANY attachment within a project). These
options are:
$g_allow_view_own_attachments
$g_allow_download_own_attachments
$g_allow_delete_own_attachments

These options were not being factored into access checks correctly.
Instead of checking who uploaded the attachment we were checking whether
the current user is the reporter of the issue.... sometimes.

It is important to note that the bug_get_attachments() function in
bug_api.php no longer performs any access checks. It is up to the caller
to filter the attachments and validate access permissions. Use
file_get_visible_attachments() from file_api.php instead if you want to
get a filtered list of attachments that factors in access levels.

Thank you to Frank Rodgers for an intial patch and ideas on how to
improve the handling of these options.		 Affected Issues
0012553
mod - api/soap/mc_issue_api.php Diff File
mod - file_download.php Diff File
mod - core/columns_api.php Diff File
mod - bug_view_inc.php Diff File
mod - core/file_api.php Diff File
mod - core/bug_api.php Diff File
mod - my_view_inc.php Diff File

MantisBT: master-1.2.x 5e8e7e26

2010-12-25 02:51

dhx


Details Diff		 Fix 0012553: Improve handling of allow_*_own_attachments options

There exists three existing options to allow users to view, download and
delete their own attachments only (if they don't have wider permission
to view, download and delete ANY attachment within a project). These
options are:
$g_allow_view_own_attachments
$g_allow_download_own_attachments
$g_allow_delete_own_attachments

These options were not being factored into access checks correctly.
Instead of checking who uploaded the attachment we were checking whether
the current user is the reporter of the issue.... sometimes.

It is important to note that the bug_get_attachments() function in
bug_api.php no longer performs any access checks. It is up to the caller
to filter the attachments and validate access permissions. Use
file_get_visible_attachments() from file_api.php instead if you want to
get a filtered list of attachments that factors in access levels.

Thank you to Frank Rodgers for an intial patch and ideas on how to
improve the handling of these options.		 Affected Issues
0012553
mod - core/bug_api.php Diff File
mod - core/columns_api.php Diff File
mod - core/file_api.php Diff File
mod - bug_view_inc.php Diff File
mod - my_view_inc.php Diff File
mod - api/soap/mc_issue_api.php Diff File
mod - file_download.php Diff File