php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Return to Bug #60989
Patch bugsweb-security.diff revision 2012-05-07 20:59 UTC by tyrael@php.net
revision 2012-05-06 19:03 UTC by tyrael@php.net
revision 2012-05-05 20:28 UTC by tyrael@php.net
revision 2012-05-05 20:25 UTC by tyrael@php.net

Patch bugsweb-security.diff for Website problem Bug #60989

Patch version 2012-05-07 20:59 UTC

Return to Bug #60989 | Download this patch
This patch renders other patches obsolete

Obsolete patches:

Patch Revisions:

Developer: tyrael@php.net

diff --git a/include/functions.php b/include/functions.php
index 30f0af7..ae9597b 100644
--- a/include/functions.php
+++ b/include/functions.php
@@ -117,6 +117,10 @@ function bugs_has_access ($bug_id, $bug, $pw, $user_flags)
 	} else if (($user_flags == BUGS_NORMAL_USER) && $pw != '' && verify_bug_passwd($bug_id, $pw)) {
 		// The submitter
 		return true;
+	} else if (($user_flags & BUGS_DEV_USER) && $bug['reporter_name'] != '' &&
+		strtolower($bug['reporter_name']) == strtolower($auth_user->handle)) {
+		// The submitter (php developer)
+		return true;
 	} else if (($user_flags & BUGS_DEV_USER) && $bug['assign'] != '' &&
 		strtolower($bug['assign']) == strtolower($auth_user->handle)) {
 		// The assigned dev
diff --git a/www/bug.php b/www/bug.php
index 5d37606..6e6bb3c 100644
--- a/www/bug.php
+++ b/www/bug.php
@@ -605,6 +605,9 @@ switch ($thanks)
 
 display_bug_error($errors);
 
+if (!$show_bug_info) {
+	echo '<div id="bugheader"></div>';
+} else{
 ?>
 <div id="bugheader">
 	<table id="details">
@@ -668,7 +671,9 @@ display_bug_error($errors);
 	</table>
 </div>
 
-<?php if ($bug_id !== 'PREVIEW') {
+<?php
+}
+if ($bug_id !== 'PREVIEW') {
 	echo '<div class="controls">', "\n",
 		control(0, 'View'),
 		($bug['private'] == 'N' ? control(3, 'Add Comment') : ''),
@@ -750,7 +755,10 @@ if ($edit == 1 || $edit == 2) { ?>
 <form id="update" action="bug.php?id=<?php echo $bug_id; ?>&amp;edit=<?php echo $edit; ?>" method="post">
 
 <?php if ($edit == 2) {
-		if (!isset($_POST['in']) && $pw && verify_bug_passwd($bug['id'], bugs_get_hash($pw))) {
+		if ($logged_in && $show_bug_info) {
+			// do nothing if the user is logged in and has access to the bug
+
+		} elseif (!isset($_POST['in']) && $pw && verify_bug_passwd($bug['id'], bugs_get_hash($pw))) {
 			$show_bug_info = true;	?>
 			<div class="explain">
 				Welcome back! Since you opted to store your bug's password in a
@@ -811,7 +819,7 @@ if ($edit == 1 || $edit == 2) { ?>
 ?>
 	<table>
 
-<?php if ($edit == 1) { /* Developer Edit Form */ ?>
+<?php if ($edit == 1 && $show_bug_info) { /* Developer Edit Form */ ?>
 		<tr>
 			<th class="details"><label for="in" accesskey="c">Qui<span class="accesskey">c</span>k Fix:</label></th>
 			<td colspan="3">
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sat Dec 28 10:01:31 2024 UTC