+2005-02-27 Tim Perdue <tim@gforge.org>
+
+ * mopping up permission logic for the different tracker roles -
+ admin, tech, submitter, everyone else. The logic is clearer now
+ and is enforced at the Artifact.class level, rather than at
+ www interface.
+
2005-02-28 Guillaume Smet <guillaume-gforge@smet.org>
* fixed an array initialization bug in ArtifactType
//
// See if this ID already has been fetched in the cache
//
+ if (!$id_arr[$i]) {
+ continue;
+ }
if (!isset($USER_OBJ["_".$id_arr[$i]."_"])) {
$fetch[]=$id_arr[$i];
} else {
}
}
if (count($fetch) > 0) {
- $res=db_query("SELECT * FROM users WHERE user_id IN ('".implode($fetch,'\',\'') ."')");
+ $sql="SELECT * FROM users WHERE user_id IN ('".implode($fetch,'\',\'') ."')";
+ $res=db_query($sql);
while ($arr =& db_fetch_array($res)) {
$USER_OBJ["_".$arr['user_id']."_"] = new User($arr['user_id'],$arr);
$return[] =& $USER_OBJ["_".$arr['user_id']."_"];
$assigned_to,$summary,$canned_response,$details,$new_artifact_type_id,$extra_fields=array()) {
global $Language;
+ /*
+ Field-level permission checking
+ */
+ if ($this->ArtifactType->userIsAdmin()) {
+ //admin can do everything
+ } else {
+ //everyone else cannot modify these fields
+ $priority=$this->getPriority();
+ $summary=addslashes($this->getSummary());
+ $canned_response=100;
+ $new_artifact_type_id=$this->ArtifactType->getID();
+ $assigned_to=$this->getAssignedTo();
+
+ if ($this->ArtifactType->userIsTechnician()) {
+ //technician can update only certain fields
+ //which were not overridden above
+ } else {
+ //submitter can no longer call this function
+ $this->setPermissionDeniedError();
+ return false;
+ }
+
+ }
if (!$this->getID()
|| !$assigned_to
|| !$status_id
return false;
}
- // If the current status is Pending then auto-reset it to 'Open'
- // Assumes the status ID for 'Pending' is '4'
- /*
- //This was unexpected behavior - best to let the admin set their own status
- if ($status_id != '2' && $status_id != '3' && $this->getStatusID() == '4') {
- $status_id = '1';
- }
- */
- // original submitter can always modify his/her items now
- if (!$this->ArtifactType->userIsAdmin() && ($this->getSubmittedBy() != user_getid()) && (!$this->ArtifactType->userIsTechnician())) {
- $this->setPermissionDeniedError();
- return false;
- }
// Array to record which properties were changed
$changes = array();
WHERE
artifact_id='". $this->getID() ."'
AND group_artifact_id='$artifact_type_id'";
-
$result=db_query($sql);
if (!$result || db_affected_rows($result) < 1) {
$this->setError('Error - update failed!'.db_error());
- echo db_error();
db_rollback();
return false;
} else {
} else {
//determine the type of field and whether it should have multiple rows supporting it
$ef =& $this->ArtifactType->getExtraFields();
- $type=$ef[$efid]['field_type'];
- if (($type == ARTIFACT_EXTRAFIELDTYPE_CHECKBOX) || ($type==ARTIFACT_EXTRAFIELDTYPE_MULTISELECT)) {
+ $type=$ef[$efid]['field_type'];
+ if (($type == ARTIFACT_EXTRAFIELDTYPE_CHECKBOX) || ($type==ARTIFACT_EXTRAFIELDTYPE_MULTISELECT)) {
$multi_rows=true;
$count=count($extra_fields[$efid]);
for ($fin=0; $fin<$count; $fin++) {
* @return boolean success.
*/
function delete() {
- if (!$this->Artifact->ArtifactType->userIsAdmin()) {
+ if (!$this->Artifact->ArtifactType->userIsTechnician()) {
$this->setPermissionDeniedError();
return false;
}
INSERT INTO plugins(plugin_name,plugin_desc) values ('cvstracker','CVS Tracker Integration');
+CREATE SEQUENCE "plugin_cvstracker_artifact_seq" start 1 increment 1 maxvalue 2147483647 minvalue 1 cache 1;
+
+CREATE TABLE plugin_cvstracker_data_artifact (
+ "id" integer DEFAULT nextval ('plugin_cvstracker_artifact_seq'::text) NOT NULL,
+ "kind" integer DEFAULT '0' NOT NULL,
+ "group_artifact_id" integer ,
+ "project_task_id" integer ,
+ Constraint "plugin_cvstracker_artifact_pkey" Primary Key ("id")
+);
+
+CREATE SEQUENCE "plugin_cvstracker_master_seq" start 1 increment 1 maxvalue 2147483647 minvalue 1 cache 1;
+
+CREATE TABLE plugin_cvstracker_data_master (
+ "id" integer DEFAULT nextval ('plugin_cvstracker_master_seq'::text) NOT NULL,
+ "holder_id" integer NOT NULL,
+ "cvs_date" date NOT NULL,
+ "log_text" text DEFAULT '',
+ "file" text DEFAULT '' NOT NULL,
+ "prev_version" text DEFAULT '',
+ "actual_version" text DEFAULT '',
+ "author" text DEFAULT '' NOT NULL,
+ Constraint "plugin_cvstracker_master_pkey" Primary Key ("id"),
+ FOREIGN KEY (holder_id) REFERENCES plugin_cvstracker_data_artifact ("id"),
+ FOREIGN KEY (author) REFERENCES users (user_name)
+);
+
+CREATE INDEX plugin_cvstracker_group_artifact_id ON plugin_cvstracker_data_artifact USING btree (group_artifact_id);
<?php
/**
- *
- * SourceForge Generic Tracker facility
- *
- * SourceForge: Breaking Down the Barriers to Open Source Development
- * Copyright 1999-2001 (c) VA Linux Systems
- * http://sourceforge.net
- *
- * @version $Id$
- *
- */
+ * SourceForge Generic Tracker facility
+ *
+ * SourceForge: Breaking Down the Barriers to Open Source Development
+ * Copyright 1999-2001 (c) VA Linux Systems
+ * http://sourceforge.net
+ *
+ * @version $Id$
+ */
echo $ath->header(array ('title'=>$Language->getText('tracker_detail','title').': '.$ah->getID(). ' '.util_unconvert_htmlspecialchars($ah->getSummary()),'pagename'=>'tracker_detail','atid'=>$ath->getID(),'sectionvals'=>array($ath->getName())));
<h2>[#<?php echo $ah->getID(); ?>] <?php echo util_unconvert_htmlspecialchars($ah->getSummary()); ?></h2>
<table cellpadding="0" width="100%">
-<?php
-if (session_loggedin()) {
-?>
<tr>
<td><?php
- if ($ah->isMonitoring()) {
- $img="xmail16w.png";
- $key="stop_monitoring";
- } else {
- $img="mail16w.png";
- $key="monitor";
- }
- echo '
- <a href="index.php?group_id='.$group_id.'&artifact_id='.$ah->getID().'&atid='.$ath->getID().'&func=monitor"><strong>'.
- html_image('ic/'.$img.'','20','20',array()).' '.$Language->getText('tracker_utils',$key).'</strong></a>';
- ?> <a href="javascript:help_window('/help/tracker.php?helpname=monitor')"><strong>(?)</strong></a>
- </td>
- <td>
- <a href="<?php echo "$PHP_SELF?func=taskmgr&group_id=$group_id&atid=$atid&aid=$aid"; ?>"><?php echo
- html_image('ic/taskman20w.png','20','20',array()); ?><strong><?php echo $Language->getText('tracker_detail','build_task_relation') ?></strong></a>
+ if (session_loggedin()) {
+
+ if ($ah->isMonitoring()) {
+ $img="xmail16w.png";
+ $key="stop_monitoring";
+ } else {
+ $img="mail16w.png";
+ $key="monitor";
+ }
+ echo '
+ <a href="index.php?group_id='.$group_id.'&artifact_id='.$ah->getID().'&atid='.$ath->getID().'&func=monitor"><strong>'.
+ html_image('ic/'.$img.'','20','20',array()).' '.$Language->getText('tracker_utils',$key).'</strong></a>';
+ ?> <a href="javascript:help_window('/help/tracker.php?helpname=monitor')"><strong>(?)</strong></a>
+
+ <?php } else { ?>
+
+ <h3><FONT COLOR="RED">
+ <?php echo $Language->getText('tracker','please_login',array('<a href="/account/login.php?return_to='.urlencode($REQUEST_URI).'">','</a>')) ?></FONT></h3><br />
+
+ <?php } ?>
+ <p>
</td>
+ <td><strong><?php echo $Language->getText('tracker','status') ?>:</strong><br /><?php echo $ah->getStatusName(); ?></td>
</tr>
-<?php } ?>
<tr>
<td><strong><?php echo $Language->getText('tracker','date') ?>:</strong><br /><?php echo date( $sys_datefmt, $ah->getOpenDate() ); ?></td>
<td><strong><?php echo $Language->getText('tracker','priority') ?>:</strong><br /><?php echo $ah->getPriority(); ?></td>
(<tt><a href="/users/<?php echo $submittedUnixName; ?>"><?php echo $submittedUnixName; ?></a></tt>)
<?php } ?>
</td>
- <td><strong><?php echo $Language->getText('tracker','assigned_to') ?>:</strong><br /><?php echo $ah->getAssignedRealName(); ?> (<?php echo $ah->getAssignedUnixName(); ?>)</td>
+ <td><strong><?php echo $Language->getText('tracker','assigned_to') ?>:</strong><br />
+ <?php echo $ah->getAssignedRealName(); ?> (<?php echo $ah->getAssignedUnixName(); ?>)</td>
</tr>
<tr>
<td><strong><?php echo $Language->getText('tracker','category') ?>:</strong><br /><?php echo $ah->getCategoryName(); ?></td>
- <td><strong><?php echo $Language->getText('tracker','status') ?>:</strong><br /><?php echo $ah->getStatusName(); ?></td>
+ <td><strong><?php echo $Language->getText('tracker','resolution') ?>:</strong><br /><?php echo $ah->getResolutionName(); ?></td>
</tr>
- <?php
- $ath->renderExtraFields($ah->getExtraFieldData(),true);
- ?>
+ <?php
+ $ath->renderExtraFields($ah->getExtraFieldData(),true);
+ ?>
<tr><td colspan="2"><strong><?php echo $Language->getText('tracker','summary') ?>:</strong><br /><?php echo $ah->getSummary(); ?></td></tr>
- <form action="<?php echo $PHP_SELF; ?>?group_id=<?php echo $group_id; ?>&atid=<?php echo $ath->getID(); ?>" METHOD="POST">
+ <form action="<?php echo $PHP_SELF; ?>?group_id=<?php echo $group_id; ?>&atid=<?php echo $ath->getID(); ?>" method="post" enctype="multipart/form-data">
<tr><td colspan="2">
<br />
<?php echo $ah->showDetails(); ?>
- <input type="hidden" name="func" value="postaddcomment">
+ <input type="hidden" name="func" value="postmod">
<input type="hidden" name="artifact_id" value="<?php echo $ah->getID(); ?>">
<p>
<strong><?php echo $Language->getText('tracker_detail','add_comment') ?>:</strong>
<?php echo notepad_button('document.forms[1].details') ?><br />
<textarea name="details" ROWS="10" COLS="60" WRAP="SOFT"></textarea>
+ <?php if (!session_loggedin()) { ?>
+ <?php echo $Language->getText('tracker','insert_email') ?>
+ <p>
+ <input type="text" name="user_email" SIZE="20" MAXLENGTH="40">
+ <?php } ?>
</td></tr>
- <tr><td colspan="2">
- <?php
-
- if (!session_loggedin()) {
- ?>
- <h3><FONT COLOR="RED">
- <?php echo $Language->getText('tracker','please_login',array('<a href="/account/login.php?return_to='.urlencode($REQUEST_URI).'">','</a>')) ?></FONT></h3><br />
- <?php echo $Language->getText('tracker','insert_email') ?>
- <p>
- <input type="TEXT" name="user_email" SIZE="20" MAXLENGTH="40">
- <?php
- }
- ?>
- <p>
- <h3><?php echo $Language->getText('tracker_detail','security_note') ?></h3>
- <p>
- <input type="SUBMIT" name="SUBMIT" value="<?php echo $Language->getText('general','submit') ?>">
- </form>
- </td></tr>
-
<tr><td colspan="2">
<h3><?php echo $Language->getText('tracker','followups') ?></h3>
<p>
</td></tr>
<tr><td colspan=2>
+ <?php if (session_loggedin() && ($ah->getSubmittedBy() == user_getid())) { ?>
+ <strong><?php echo $Language->getText('tracker','check_upload') ?>:</strong> <input type="checkbox" name="add_file" value="1" /><br />
+ <input type="file" name="input_file" size="30" /></p>
+ <p>
+ <strong><?php echo $Language->getText('tracker','file_description') ?>:</strong><br />
+ <input type="text" name="file_description" size="40" maxlength="255" /></p>
+ <?php } ?>
<h4><?php echo $Language->getText('tracker_detail','attached_files') ?>:</h4>
<?php
//
?>
</td></tr>
+ <tr><td colspan="2">
+ <h3><?php echo $Language->getText('tracker_detail','security_note') ?></h3>
+ <p>
+ <input type="submit" name="submit" value="<?php echo $Language->getText('general','submit') ?>">
+ </form>
+ </td></tr>
+
<?php
$hookParams['artifact_id']=$aid;
plugin_hook("artifact_extra_detail",$hookParams);
?>
</td>
</tr>
-</TABLE>
+</table>
<?php
$ath->footer(array());
<?php
/**
- *
- * SourceForge Generic Tracker facility
- *
- * SourceForge: Breaking Down the Barriers to Open Source Development
- * Copyright 1999-2001 (c) VA Linux Systems
- * http://sourceforge.net
- *
- * @version $Id$
- *
- */
+ * SourceForge Generic Tracker facility
+ *
+ * SourceForge: Breaking Down the Barriers to Open Source Development
+ * Copyright 1999-2001 (c) VA Linux Systems
+ * http://sourceforge.net
+ *
+ * @version $Id$
+ */
$ath->header(array ('title'=>$Language->getText('tracker_mod','title').': '.$ah->getID(). ' - ' . $ah->getSummary(),'pagename'=>'tracker','atid'=>$ath->getID(),'sectionvals'=>array($group->getPublicName()) ));
<td><strong><?php echo $Language->getText('tracker','category') ?>: <a href="javascript:help_window('/help/tracker.php?helpname=category')"><strong>(?)</strong></a></strong><br />
<?php
- echo $ah->getCategoryName();
+ echo $ath->categoryBox('category_id', $ah->getCategoryID() );
?>
</td>
<td><strong><?php echo $Language->getText('tracker','group') ?>: <a href="javascript:help_window('/help/tracker.php?helpname=group')"><strong>(?)</strong></a></strong><br />
<?php
- echo $ah->getArtifactGroupName();
+ echo $ath->artifactGroupBox('artifact_group_id', $ah->getArtifactGroupID() );
?>
</td>
<tr>
<td><strong><?php echo $Language->getText('tracker','assigned_to')?>: <a href="javascript:help_window('/help/tracker.php?helpname=assignee')"><strong>(?)</strong></a></strong><br />
- <?php
-
- echo $ath->technicianBox('assigned_to', $ah->getAssignedTo() );
- echo ' <a href="/tracker/admin/?group_id='.$group_id.'&atid='. $ath->getID() .'&update_users=1">('.$Language->getText('tracker','admin').')</a>';
- ?>
- </td><td>
+ <?php echo $ah->getAssignedRealName(); ?> (<?php echo $ah->getAssignedUnixName(); ?>)</td>
+ <td>
<strong><?php echo $Language->getText('tracker','priority') ?>: <a href="javascript:help_window('/help/tracker.php?helpname=priority')"><strong>(?)</strong></a></strong><br />
<?php
/*
<br /><strong><?php echo $Language->getText('tracker_mod','attach_comment') ?>: <?php echo notepad_button('document.forms[1].details') ?> <a href="javascript:help_window('/help/tracker.php?helpname=comment')"><strong>(?)</strong></a></strong><br />
<textarea name="details" rows="7" cols="60" wrap="hard"></textarea></p>
<p>
- <input type="submit" name="submit" value="<?php echo $Language->getText('general','submit') ?>"></p>
<h3><?php echo $Language->getText('tracker','followups') ?>:</h3>
<?php
echo $ah->showMessages();
$count=count($file_list);
$title_arr=array();
+ $title_arr[]=$Language->getText('tracker_mod','delete');
$title_arr[]=$Language->getText('tracker_detail','name');
$title_arr[]=$Language->getText('tracker_detail','description');
$title_arr[]=$Language->getText('tracker_detail','download');
for ($i=0; $i<$count; $i++) {
echo '<tr '. $GLOBALS['HTML']->boxGetAltRowStyle($i) .'>
+ <td><input type="CHECKBOX" name="delete_file[]" value="'. $file_list[$i]->getID() .'">'.$Language->getText('tracker_mod','delete').' </td>
<td>'. htmlspecialchars($file_list[$i]->getName()) .'</td>
<td>'. htmlspecialchars($file_list[$i]->getDescription()) .'</td>
<td><a href="/tracker/download.php/'.$group_id.'/'. $ath->getID().'/'. $ah->getID() .'/'.$file_list[$i]->getID().'/'.$file_list[$i]->getName() .'">'.$Language->getText('tracker_mod','download').'</a></td>
// } elseif ($afh->isError()) {
// $feedback .= $afh->getErrorMessage();
} else {
+ if (!util_check_fileupload($input_file)) {
+ exit_error("Error","Invalid filename");
+ }
if (!$afh->upload($input_file,$input_file_name,$input_file_type,$file_description)) {
$feedback .= ' Could Not Attach File to Item: '.$afh->getErrorMessage();
}
} else if ($ah->isError()) {
exit_error('ERROR',$ah->getErrorMessage());
} else {
- if (!$ath->userIsAdmin() && ($ath->userIsTechnician() || (session_loggedin() && ($ah->getSubmittedBy() == user_getid())))) {
-// && !(session_loggedin() && ($ah->getSubmittedBy() == user_getid()))
-// && (session_loggedin() && ($ah->getAssignedTo() == user_getid()))) {
- $priority=$ah->getPriority();
- $category_id=$ah->getCategoryID();
- $artifact_group_id=$ah->getArtifactGroupID();
- $summary=addslashes($ah->getSummary());
- $canned_response=100;
- $new_artfact_type_id=$ath->getID();
- $delete_file=false;
- }
-//echo "$priority|$status_id|$category_id|$artifact_group_id|$resolution_id|
-// $assigned_to|$summary|$canned_response|$details|$new_artfact_type_id";
- if (!$ah->update($priority,$status_id,$category_id,$artifact_group_id,$resolution_id,
- $assigned_to,$summary,$canned_response,$details,$new_artfact_type_id,$extra_fields)) {
- $feedback =$Language->getText('tracker','tracker_item'). ': '.$ah->getErrorMessage();
- $ah->clearError();
- $was_error=true;
+
+ /*
+
+ The following logic causes fields to be overridden
+ in the event that someone tampered with the HTML form
+
+ */
+ if ($ath->userIsAdmin() || $ath->userIsTechnician()) {
+
+ //admin and techs can do everything
+ //techs will have certain fields overridden inside the update() function call
+ if (!$ah->update($priority,$status_id,$category_id,$artifact_group_id,$resolution_id,
+ $assigned_to,$summary,$canned_response,$details,$new_artfact_type_id,$extra_fields)) {
+ $feedback =$Language->getText('tracker','tracker_item'). ': '.$ah->getErrorMessage();
+ $ah->clearError();
+ $was_error=true;
+ }
+
+ } else {
+
+ if (session_loggedin() && ($ah->getSubmittedBy() == user_getid())) {
+
+ //submitter can only add files & comments
+
+ $delete_file=false;
+ if ($ah->addMessage($details,$user_email,true)) {
+ $feedback=$Language->getText('tracker','comment_added');
+ } else {
+ //some kind of error in creation
+ exit_error('ERROR',$feedback);
+ }
+
+ } else {
+
+ //everyone else can only add comments
+ $delete_file=false;
+ $add_file=false;
+ if ($ah->addMessage($details,$user_email,true)) {
+ $feedback=$Language->getText('tracker','comment_added');
+ } else {
+ //some kind of error in creation
+ exit_error('ERROR',$feedback);
+ }
+
+ }
}
//
}
break;
}
- case 'postaddcomment' : {
- /*
- Attach a comment to an artifact
- Used by non-admins
- */
- $ah=new ArtifactHtml($ath,$artifact_id);
- if (!$ah || !is_object($ah)) {
- exit_error('ERROR','Artifact Could Not Be Created');
- } else if ($ah->isError()) {
- exit_error('ERROR',$ah->getErrorMessage());
- } else {
- if ($ah->addMessage($details,$user_email,true)) {
- $feedback=$Language->getText('tracker','comment_added');
- include ('browse.php');
- } else {
- //some kind of error in creation
- exit_error('ERROR',$feedback);
- }
- }
- break;
- }
case 'monitor' : {
if ($artifact_id) {
$ah=new ArtifactHtml($ath,$artifact_id);
} else {
if ($ath->userIsAdmin()) {
include 'mod.php';
- } elseif ($ath->userIsTechnician() || (session_loggedin() && ($ah->getSubmittedBy() == user_getid()))) {
+ } elseif ($ath->userIsTechnician()) {
include 'mod-limited.php';
} else {
include 'detail.php';