external/aurweb
0
0
Fork 0
mirror of https://gitlab.archlinux.org/archlinux/aurweb.git synced 2025-02-03 10:43:03 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

Fix the permission check in pkgbase_adopt()

Browse source 
Filter the affected package bases before closing any package requests.

Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
This commit is contained in:
Lukas Fleischer 2015-05-22 14:44:24 +02:00
parent 2b909cb3f6
commit 0dcdc23a7f
1 changed files with 18 additions and 10 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

28
web/lib/pkgbasefuncs.inc.php
View file

@ -579,7 +579,25 @@ function pkgbase_adopt ($base_ids, $action=true, $via) {
}
}
/* Verify package ownership. */
$base_ids = sanitize_ids($base_ids);
$q = "SELECT ID FROM PackageBases ";
$q.= "WHERE ID IN (" . implode(",", $base_ids) . ") ";
if ($action && !has_credential(CRED_PKGBASE_ADOPT)) {
/* Regular users may only adopt orphan packages. */
$q.= "AND MaintainerUID IS NULL";
}
if (!$action && !has_credential(CRED_PKGBASE_DISOWN)) {
/* Regular users may only disown their own packages. */
$q.= "AND MaintainerUID = " . $uid;
}
$result = $dbh->query($q);
$base_ids = $result->fetchAll(PDO::FETCH_COLUMN, 0);
/* Error out if the list of remaining packages is empty. */
if (empty($base_ids)) {
if ($action) {
return array(false, __("You did not select any packages to adopt."));
@ -618,16 +636,6 @@ function pkgbase_adopt ($base_ids, $action=true, $via) {
$q.= "SET MaintainerUID = NULL ";
}
$q.= "WHERE ID IN (" . implode(",", $base_ids) . ") ";
if ($action && !has_credential(CRED_PKGBASE_ADOPT)) {
/* Regular users may only adopt orphan packages. */
$q.= "AND MaintainerUID IS NULL";
}
if (!$action && !has_credential(CRED_PKGBASE_DISOWN)) {
/* Regular users may only disown their own packages. */
$q.= "AND MaintainerUID = " . $uid;
}
$dbh->exec($q);
if ($action) {