Commit 0183678b authored by Richard Mansfield's avatar Richard Mansfield
Browse files

Allow users to view files attached to feedback they can see (bug #663545)


Signed-off-by: default avatarRichard Mansfield <richard.mansfield@catalyst.net.nz>
parent 6e479421
......@@ -602,6 +602,39 @@ class ArtefactTypeComment extends ArtefactType {
}
return $url;
}
// Check whether the logged-in user can see a comment within the
// context of a given view. Does not check whether the user can
// view the view.
public function viewable_in($viewid) {
global $USER;
if ($this->get('deletedby')) {
return false;
}
if ($USER->is_logged_in()) {
if ($USER->can_view_artefact($this)) {
return true;
}
if ($this->get('author') == $USER->get('id')) {
return true;
}
}
if ($this->get('private')) {
return false;
}
if ($onview = $this->get('onview')) {
return $onview == $viewid;
}
if ($onartefact = $this->get('onartefact')) {
return artefact_in_view($onartefact, $viewid);
}
return false;
}
}
/* To make private comments public, both the author and the owner must agree. */
......
......@@ -26,7 +26,7 @@
{if $item->makepublicrequested} | <span>{str tag=youhaverequestedpublic section=artefact.comment}</span>{/if}
{strip}
{foreach $item->attachments item=a name=attachments}
{if $.foreach.attachments.first} | <span>{str tag=Attachments section=artefact.comment}:{else},{/if} <a href="{$WWWROOT}artefact/file/download.php?file={$a->attachid}">{$a->attachtitle}</a> ({$a->attachsize})</span>
{if $.foreach.attachments.first} | <span>{str tag=Attachments section=artefact.comment}:{else},{/if} <a href="{$WWWROOT}artefact/file/download.php?file={$a->attachid}&comment={$item->id}&view={$viewid}">{$a->attachtitle}</a> ({$a->attachsize})</span>
{/foreach}
{/strip}
{if $item->canedit} | <span><a href="{$WWWROOT}artefact/comment/edit.php?id={$item->id}&view={$viewid}" class="btn-edit">{str tag=edit}</a></span>{/if}
......
......@@ -47,7 +47,20 @@ else {
}
if ($viewid && $fileid) {
if (!artefact_in_view($fileid, $viewid)) {
// The user may be trying to download a file that's not in the view, but which has
// been attached to public feedback on the view
if ($commentid = param_integer('comment', null)) {
if (!record_exists('artefact_attachment', 'artefact', $commentid, 'attachment', $fileid)) {
throw new AccessDeniedException('');
}
safe_require('artefact', 'comment');
$comment = new ArtefactTypeComment($commentid);
if (!$comment->viewable_in($viewid)) {
throw new AccessDeniedException('');
}
}
else if (!artefact_in_view($fileid, $viewid)) {
throw new AccessDeniedException('');
}
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment