/** * Whether to skip this event after access checks * @return boolean */ public function skip() { if (!bugnote_exists($this->issue_note_id)) { return true; } if (!access_has_bugnote_level(VIEWER, $this->issue_note_id)) { return true; } return false; }
/** * Check if the user has the specified access level for the given bugnote * and deny access to the page if not * @see access_has_bugnote_level * @param int $p_access_level integer representing access level * @param int $p_bugnote_id integer representing bugnote id to check access against * @param int|null $p_user_id integer representing user id, defaults to null to use current user * @access public */ function access_ensure_bugnote_level($p_access_level, $p_bugnote_id, $p_user_id = null) { if (!access_has_bugnote_level($p_access_level, $p_bugnote_id, $p_user_id)) { access_denied(); } }
if (!bug_is_readonly($f_bug_id)) { # check if the user can edit this bugnote if ($t_user_id == $t_bugnote->reporter_id) { $t_can_edit_bugnote = access_has_bugnote_level($t_bugnote_user_edit_threshold, $t_bugnote->id); } else { $t_can_edit_bugnote = $t_can_edit_all_bugnotes; } # check if the user can delete this bugnote if ($t_user_id == $t_bugnote->reporter_id) { $t_can_delete_bugnote = access_has_bugnote_level($t_bugnote_user_delete_threshold, $t_bugnote->id); } else { $t_can_delete_bugnote = $t_can_delete_all_bugnotes; } # check if the user can make this bugnote private if ($t_user_id == $t_bugnote->reporter_id) { $t_can_change_view_state = access_has_bugnote_level($t_bugnote_user_change_view_state_threshold, $t_bugnote->id); } else { $t_can_change_view_state = $t_can_change_view_state_all_bugnotes; } # show edit button if the user is allowed to edit this bugnote if ($t_can_edit_bugnote) { print_button('bugnote_edit_page.php?bugnote_id=' . $t_bugnote->id, lang_get('bugnote_edit_link')); } # show delete button if the user is allowed to delete this bugnote if ($t_can_delete_bugnote) { print_button('bugnote_delete.php?bugnote_id=' . $t_bugnote->id, lang_get('delete_link')); } # show make public or make private button if the user is allowed to change the view state of this bugnote if ($t_can_change_view_state) { if (VS_PRIVATE == $t_bugnote->view_state) { print_button('bugnote_set_view_state.php?private=0&bugnote_id=' . $t_bugnote->id, lang_get('make_public'));
/** * Update a note * * @param string $p_username The name of the user trying to add a note to an issue. * @param string $p_password The password of the user. * @param stdClass $p_note The note to update. * @return true on success, false on failure */ function mc_issue_note_update($p_username, $p_password, stdClass $p_note) { global $g_project_override; $t_user_id = mci_check_login($p_username, $p_password); if ($t_user_id === false) { return mci_soap_fault_login_failed(); } $p_note = SoapObjectsFactory::unwrapObject($p_note); if (!isset($p_note['id']) || is_blank($p_note['id'])) { return SoapObjectsFactory::newSoapFault('Client', 'Issue note id must not be blank.'); } if (!isset($p_note['text']) || is_blank($p_note['text'])) { return SoapObjectsFactory::newSoapFault('Client', 'Issue note text must not be blank.'); } $t_issue_note_id = $p_note['id']; if (!bugnote_exists($t_issue_note_id)) { return SoapObjectsFactory::newSoapFault('Client', 'Issue note \'' . $t_issue_note_id . '\' does not exist.'); } $t_issue_id = bugnote_get_field($t_issue_note_id, 'bug_id'); $t_project_id = bug_get_field($t_issue_id, 'project_id'); $g_project_override = $t_project_id; if (!mci_has_readwrite_access($t_user_id, $t_project_id)) { return mci_soap_fault_access_denied($t_user_id); } $t_issue_author_id = bugnote_get_field($t_issue_note_id, 'reporter_id'); # Check if the user owns the bugnote and is allowed to update their own bugnotes # regardless of the update_bugnote_threshold level. $t_user_owns_the_bugnote = bugnote_is_user_reporter($t_issue_note_id, $t_user_id); $t_user_can_update_own_bugnote = config_get('bugnote_user_edit_threshold', null, $t_user_id, $t_project_id); if ($t_user_owns_the_bugnote && !$t_user_can_update_own_bugnote) { return mci_soap_fault_access_denied($t_user_id); } # Check if the user has an access level beyond update_bugnote_threshold for the # project containing the bugnote to update. $t_update_bugnote_threshold = config_get('update_bugnote_threshold', null, $t_user_id, $t_project_id); if (!$t_user_owns_the_bugnote && !access_has_bugnote_level($t_update_bugnote_threshold, $t_issue_note_id, $t_user_id)) { return mci_soap_fault_access_denied($t_user_id); } # Check if the bug is readonly if (bug_is_readonly($t_issue_id)) { return mci_soap_fault_access_denied($t_user_id, 'Issue \'' . $t_issue_id . '\' is readonly'); } if (isset($p_note['view_state'])) { $t_view_state = $p_note['view_state']; $t_view_state_id = mci_get_enum_id_from_objectref('view_state', $t_view_state); bugnote_set_view_state($t_issue_note_id, $t_view_state_id == VS_PRIVATE); } log_event(LOG_WEBSERVICE, 'updating bugnote id \'' . $t_issue_note_id . '\''); bugnote_set_text($t_issue_note_id, $p_note['text']); return bugnote_date_update($t_issue_note_id); }
/** * @todo yarick123: email_collect_recipients(...) will be completely rewritten to provide additional information such as language, user access,.. * @todo yarick123:sort recipients list by language to reduce switches between different languages * @param int $p_bug_id * @param string $p_notify_type * @param array $p_extra_user_ids_to_email * @return array */ function email_collect_recipients($p_bug_id, $p_notify_type, $p_extra_user_ids_to_email = array()) { $c_bug_id = db_prepare_int($p_bug_id); $t_recipients = array(); # add explicitly specified users if (ON == email_notify_flag($p_notify_type, 'explicit')) { foreach ($p_extra_user_ids_to_email as $t_user_id) { $t_recipients[$t_user_id] = true; log_event(LOG_EMAIL_RECIPIENT, sprintf('Issue = #%d, add explicitly specified user = @U%d', $p_bug_id, $t_user_id)); } } # add Reporter if (ON == email_notify_flag($p_notify_type, 'reporter')) { $t_reporter_id = bug_get_field($p_bug_id, 'reporter_id'); $t_recipients[$t_reporter_id] = true; log_event(LOG_EMAIL_RECIPIENT, sprintf('Issue = #%d, add Reporter = @U%d', $p_bug_id, $t_reporter_id)); } # add Handler if (ON == email_notify_flag($p_notify_type, 'handler')) { $t_handler_id = bug_get_field($p_bug_id, 'handler_id'); if ($t_handler_id > 0) { $t_recipients[$t_handler_id] = true; log_event(LOG_EMAIL_RECIPIENT, sprintf('Issue = #%d, add Handler = @U%d', $p_bug_id, $t_handler_id)); } } $t_project_id = bug_get_field($p_bug_id, 'project_id'); # add users monitoring the bug $t_bug_monitor_table = db_get_table('mantis_bug_monitor_table'); if (ON == email_notify_flag($p_notify_type, 'monitor')) { $query = "SELECT DISTINCT user_id\n\t\t\t\t\t FROM {$t_bug_monitor_table}\n\t\t\t\t\t WHERE bug_id=" . db_param(); $result = db_query_bound($query, array($c_bug_id)); $count = db_num_rows($result); for ($i = 0; $i < $count; $i++) { $t_user_id = db_result($result, $i); $t_recipients[$t_user_id] = true; log_event(LOG_EMAIL_RECIPIENT, sprintf('Issue = #%d, add Monitor = @U%d', $p_bug_id, $t_user_id)); } } # add users who contributed bugnotes $t_bugnote_id = bugnote_get_latest_id($p_bug_id); $t_bugnote_view = bugnote_get_field($t_bugnote_id, 'view_state'); $t_bugnote_date = bugnote_get_field($t_bugnote_id, 'last_modified'); $t_bug = bug_get($p_bug_id); $t_bug_date = $t_bug->last_updated; $t_bugnote_table = db_get_table('mantis_bugnote_table'); if (ON == email_notify_flag($p_notify_type, 'bugnotes')) { $query = "SELECT DISTINCT reporter_id\n\t\t\t\t\t FROM {$t_bugnote_table}\n\t\t\t\t\t WHERE bug_id = " . db_param(); $result = db_query_bound($query, array($c_bug_id)); $count = db_num_rows($result); for ($i = 0; $i < $count; $i++) { $t_user_id = db_result($result, $i); $t_recipients[$t_user_id] = true; log_event(LOG_EMAIL_RECIPIENT, sprintf('Issue = #%d, add Note Author = @U%d', $p_bug_id, $t_user_id)); } } # add project users who meet the thresholds $t_bug_is_private = bug_get_field($p_bug_id, 'view_state') == VS_PRIVATE; $t_threshold_min = email_notify_flag($p_notify_type, 'threshold_min'); $t_threshold_max = email_notify_flag($p_notify_type, 'threshold_max'); $t_threshold_users = project_get_all_user_rows($t_project_id, $t_threshold_min); foreach ($t_threshold_users as $t_user) { if ($t_user['access_level'] <= $t_threshold_max) { if (!$t_bug_is_private || access_compare_level($t_user['access_level'], config_get('private_bug_threshold'))) { $t_recipients[$t_user['id']] = true; log_event(LOG_EMAIL_RECIPIENT, sprintf('Issue = #%d, add Project User = @U%d', $p_bug_id, $t_user['id'])); } } } # add users as specified by plugins $t_recipients_include_data = event_signal('EVENT_NOTIFY_USER_INCLUDE', array($p_bug_id, $p_notify_type)); foreach ($t_recipients_include_data as $t_plugin => $t_recipients_include_data2) { foreach ($t_recipients_include_data2 as $t_callback => $t_recipients_included) { # only handle if we get an array from the callback if (is_array($t_recipients_included)) { foreach ($t_recipients_included as $t_user_id) { $t_recipients[$t_user_id] = true; log_event(LOG_EMAIL_RECIPIENT, sprintf('Issue = #%d, %s plugin added user @U%d', $p_bug_id, $t_plugin, $t_user_id)); } } } } # FIXME: the value of $p_notify_type could at this stage be either a status # or a built-in actions such as 'owner and 'sponsor'. We have absolutely no # idea whether 'new' is indicating a new bug has been filed, or if the # status of an existing bug has been changed to 'new'. Therefore it is best # to just assume built-in actions have precedence over status changes. switch ($p_notify_type) { case 'new': case 'feedback': # This isn't really a built-in action (delete me!) # This isn't really a built-in action (delete me!) case 'reopened': case 'resolved': case 'closed': case 'bugnote': $t_pref_field = 'email_on_' . $p_notify_type; break; case 'owner': # The email_on_assigned notification type is now effectively # email_on_change_of_handler. $t_pref_field = 'email_on_assigned'; break; case 'deleted': case 'updated': case 'sponsor': case 'relation': case 'monitor': case 'priority': # This is never used, but exists in the database! # FIXME: these notification actions are not actually implemented # in the database and therefore aren't adjustable on a per-user # basis! The exception is 'monitor' that makes no sense being a # customisable per-user preference. $t_pref_field = false; break; default: # Anything not built-in is probably going to be a status $t_pref_field = 'email_on_status'; break; } # @@@ we could optimize by modifiying user_cache() to take an array # of user ids so we could pull them all in. We'll see if it's necessary $t_final_recipients = array(); $t_user_ids = array_keys($t_recipients); user_cache_array_rows($t_user_ids); user_pref_cache_array_rows($t_user_ids); user_pref_cache_array_rows($t_user_ids, $t_bug->project_id); # Check whether users should receive the emails # and put email address to $t_recipients[user_id] foreach ($t_recipients as $t_id => $t_ignore) { # Possibly eliminate the current user if (auth_get_current_user_id() == $t_id && OFF == config_get('email_receive_own')) { log_event(LOG_EMAIL_RECIPIENT, sprintf('Issue = #%d, drop @U%d (own)', $p_bug_id, $t_id)); continue; } # Eliminate users who don't exist anymore or who are disabled if (!user_exists($t_id) || !user_is_enabled($t_id)) { log_event(LOG_EMAIL_RECIPIENT, sprintf('Issue = #%d, drop @U%d (disabled)', $p_bug_id, $t_id)); continue; } # Exclude users who have this notification type turned off if ($t_pref_field) { $t_notify = user_pref_get_pref($t_id, $t_pref_field); if (OFF == $t_notify) { log_event(LOG_EMAIL_RECIPIENT, sprintf('Issue = #%d, drop @U%d (pref %s off)', $p_bug_id, $t_id, $t_pref_field)); continue; } else { # Users can define the severity of an issue before they are emailed for # each type of notification $t_min_sev_pref_field = $t_pref_field . '_min_severity'; $t_min_sev_notify = user_pref_get_pref($t_id, $t_min_sev_pref_field); $t_bug_severity = bug_get_field($p_bug_id, 'severity'); if ($t_bug_severity < $t_min_sev_notify) { log_event(LOG_EMAIL_RECIPIENT, sprintf('Issue = #%d, drop @U%d (pref threshold)', $p_bug_id, $t_id)); continue; } } } # exclude users who don't have at least viewer access to the bug, # or who can't see bugnotes if the last update included a bugnote if (!access_has_bug_level(VIEWER, $p_bug_id, $t_id) || $t_bug_date == $t_bugnote_date && !access_has_bugnote_level(VIEWER, $t_bugnote_id, $t_id)) { log_event(LOG_EMAIL_RECIPIENT, sprintf('Issue = #%d, drop @U%d (access level)', $p_bug_id, $t_id)); continue; } # check to exclude users as specified by plugins $t_recipient_exclude_data = event_signal('EVENT_NOTIFY_USER_EXCLUDE', array($p_bug_id, $p_notify_type, $t_id)); $t_exclude = false; foreach ($t_recipient_exclude_data as $t_plugin => $t_recipient_exclude_data2) { foreach ($t_recipient_exclude_data2 as $t_callback => $t_recipient_excluded) { # exclude if any plugin returns true (excludes the user) if ($t_recipient_excluded) { $t_exclude = true; log_event(LOG_EMAIL_RECIPIENT, sprintf('Issue = #%d, %s plugin dropped user @U%d', $p_bug_id, $t_plugin, $t_id)); } } } # user was excluded by a plugin if ($t_exclude) { continue; } # Finally, let's get their emails, if they've set one $t_email = user_get_email($t_id); if (is_blank($t_email)) { log_event(LOG_EMAIL_RECIPIENT, sprintf('Issue = #%d, drop @U%d (no email)', $p_bug_id, $t_id)); } else { # @@@ we could check the emails for validity again but I think # it would be too slow $t_final_recipients[$t_id] = $t_email; } } return $t_final_recipients; }
function email_collect_recipients($p_bug_id, $p_notify_type) { $c_bug_id = db_prepare_int($p_bug_id); $t_recipients = array(); # add Reporter if (ON == email_notify_flag($p_notify_type, 'reporter')) { $t_reporter_id = bug_get_field($p_bug_id, 'reporter_id'); $t_recipients[$t_reporter_id] = true; log_event(LOG_EMAIL_RECIPIENT, "bug={$p_bug_id}, add reporter={$t_reporter_id}"); } # add Handler if (ON == email_notify_flag($p_notify_type, 'handler')) { $t_handler_id = bug_get_field($p_bug_id, 'handler_id'); if ($t_handler_id > 0) { $t_recipients[$t_handler_id] = true; log_event(LOG_EMAIL_RECIPIENT, "bug={$p_bug_id}, add handler={$t_handler_id}"); } } $t_project_id = bug_get_field($p_bug_id, 'project_id'); # add users monitoring the bug $t_bug_monitor_table = config_get('mantis_bug_monitor_table'); if (ON == email_notify_flag($p_notify_type, 'monitor')) { $query = "SELECT DISTINCT user_id\n\t\t\t\t\t FROM {$t_bug_monitor_table}\n\t\t\t\t\t WHERE bug_id={$c_bug_id}"; $result = db_query($query); $count = db_num_rows($result); for ($i = 0; $i < $count; $i++) { $t_user_id = db_result($result, $i); $t_recipients[$t_user_id] = true; log_event(LOG_EMAIL_RECIPIENT, "bug={$p_bug_id}, add monitor={$t_user_id}"); } } # add users who contributed bugnotes $t_bugnote_id = bugnote_get_latest_id($p_bug_id); $t_bugnote_view = bugnote_get_field($t_bugnote_id, 'view_state'); $t_bugnote_date = db_unixtimestamp(bugnote_get_field($t_bugnote_id, 'last_modified')); $t_bug_date = bug_get_field($p_bug_id, 'last_updated'); $t_bugnote_table = config_get('mantis_bugnote_table'); if (ON == email_notify_flag($p_notify_type, 'bugnotes')) { $query = "SELECT DISTINCT reporter_id\n\t\t\t\t\t FROM {$t_bugnote_table}\n\t\t\t\t\t WHERE bug_id = {$c_bug_id}"; $result = db_query($query); $count = db_num_rows($result); for ($i = 0; $i < $count; $i++) { $t_user_id = db_result($result, $i); $t_recipients[$t_user_id] = true; log_event(LOG_EMAIL_RECIPIENT, "bug={$p_bug_id}, add note author={$t_user_id}"); } } # add project users who meet the thresholds $t_bug_is_private = bug_get_field($p_bug_id, 'view_state') == VS_PRIVATE; $t_threshold_min = email_notify_flag($p_notify_type, 'threshold_min'); $t_threshold_max = email_notify_flag($p_notify_type, 'threshold_max'); $t_threshold_users = project_get_all_user_rows($t_project_id, $t_threshold_min); foreach ($t_threshold_users as $t_user) { if ($t_user['access_level'] <= $t_threshold_max) { if (!$t_bug_is_private || access_compare_level($t_user['access_level'], config_get('private_bug_threshold'))) { $t_recipients[$t_user['id']] = true; log_event(LOG_EMAIL_RECIPIENT, "bug={$p_bug_id}, add project user="******"bug={$p_bug_id}, drop {$t_id} (own)"); continue; } # Eliminate users who don't exist anymore or who are disabled if (!user_exists($t_id) || !user_is_enabled($t_id)) { log_event(LOG_EMAIL_RECIPIENT, "bug={$p_bug_id}, drop {$t_id} (disabled)"); continue; } # Exclude users who have this notification type turned off if ($t_pref_field) { $t_notify = user_pref_get_pref($t_id, $t_pref_field); if (OFF == $t_notify) { log_event(LOG_EMAIL_RECIPIENT, "bug={$p_bug_id}, drop {$t_id} (pref {$t_pref_field} off)"); continue; } else { # Users can define the severity of an issue before they are emailed for # each type of notification $t_min_sev_pref_field = $t_pref_field . '_min_severity'; $t_min_sev_notify = user_pref_get_pref($t_id, $t_min_sev_pref_field); $t_bug_severity = bug_get_field($p_bug_id, 'severity'); if ($t_bug_severity < $t_min_sev_notify) { log_event(LOG_EMAIL_RECIPIENT, "bug={$p_bug_id}, drop {$t_id} (pref threshold)"); continue; } } } # check that user can see bugnotes if the last update included a bugnote if ($t_bug_date == $t_bugnote_date) { if (!access_has_bugnote_level(VIEWER, $t_bugnote_id, $t_id)) { log_event(LOG_EMAIL_RECIPIENT, "bug={$p_bug_id}, drop {$t_id} (access level)"); continue; } } # Finally, let's get their emails, if they've set one $t_email = user_get_email($t_id); if (is_blank($t_email)) { log_event(LOG_EMAIL_RECIPIENT, "bug={$p_bug_id}, drop {$t_id} (no email)"); } else { # @@@ we could check the emails for validity again but I think # it would be too slow $t_final_recipients[$t_id] = $t_email; } } return $t_final_recipients; }
public function put($request) { /** * Updates the note. * * Only the text and view state of the note can be altered. * * @param $request - The request we're responding to */ $this->note_id = Bugnote::get_mantis_id_from_url($request->url); if (!bugnote_exists($this->note_id)) { throw new HTTPException(404, "No such bug note: {$this->note_id}"); } # Check if the current user is allowed to edit the bugnote # (This comes from Mantis's bugnote_update.php) $user_id = auth_get_current_user_id(); $reporter_id = bugnote_get_field($this->note_id, 'reporter_id'); $bug_id = bugnote_get_field($this->note_id, 'bug_id'); if ($user_id != $reporter_id || OFF == config_get('bugnote_allow_user_edit_delete')) { if (!access_has_bugnote_level(config_get('update_bugnote_threshold'), $this->note_id)) { throw new HTTPException(403, "Access denied"); } } if (bug_is_readonly($bug_id)) { throw new HTTPException(500, "Can't edit a note on a read-only bug"); } $this->populate_from_repr($request->body); bugnote_set_view_state($this->note_id, !!$this->_get_rsrc_attr('private')); bugnote_set_text($this->note_id, $this->_get_mantis_attr('note')); $resp = new Response(); $resp->status = 204; return $resp; }
/** * Gets the billing information for the specified project during the specified date range. * * @param integer $p_project_id A project identifier or ALL_PROJECTS. * @param string $p_from Starting date (yyyy-mm-dd) inclusive, if blank, then ignored. * @param string $p_to Ending date (yyyy-mm-dd) inclusive, if blank, then ignored. * @param integer $p_cost_per_hour Cost per hour. * @return array array of bugnotes * @access public */ function billing_get_for_project($p_project_id, $p_from, $p_to, $p_cost_per_hour) { $t_params = array(); $c_to = strtotime($p_to) + SECONDS_PER_DAY - 1; $c_from = strtotime($p_from); if ($c_to === false || $c_from === false) { error_parameters(array($p_from, $p_to)); trigger_error(ERROR_GENERIC, ERROR); } if (ALL_PROJECTS != $p_project_id) { access_ensure_project_level(config_get('view_bug_threshold'), $p_project_id); $t_project_where = ' AND b.project_id = ' . db_param() . ' AND bn.bug_id = b.id '; $t_params[] = $p_project_id; } else { $t_project_ids = user_get_all_accessible_projects(); $t_project_where = ' AND b.project_id in (' . implode(', ', $t_project_ids) . ')'; } if (!is_blank($c_from)) { $t_from_where = ' AND bn.date_submitted >= ' . db_param(); $t_params[] = $c_from; } else { $t_from_where = ''; } if (!is_blank($c_to)) { $t_to_where = ' AND bn.date_submitted <= ' . db_param(); $t_params[] = $c_to; } else { $t_to_where = ''; } $t_results = array(); $t_query = 'SELECT bn.id id, bn.time_tracking minutes, bn.date_submitted as date_submitted, bnt.note note, u.realname realname, b.project_id project_id, b.summary bug_summary, bn.bug_id bug_id, bn.reporter_id reporter_id FROM {user} u, {bugnote} bn, {bug} b, {bugnote_text} bnt WHERE u.id = bn.reporter_id AND bn.time_tracking != 0 AND bn.bug_id = b.id AND bnt.id = bn.bugnote_text_id ' . $t_project_where . $t_from_where . $t_to_where . ' ORDER BY bn.id'; $t_result = db_query($t_query, $t_params); $t_cost_per_min = $p_cost_per_hour / 60.0; $t_access_level_required = config_get('time_tracking_view_threshold'); while ($t_row = db_fetch_array($t_result)) { if (!access_has_bugnote_level($t_access_level_required, $t_row['id'])) { continue; } $t_total_cost = $t_cost_per_min * $t_row['minutes']; $t_row['cost'] = $t_total_cost; $t_results[] = $t_row; } $t_billing_rows = billing_rows_to_array($t_results); return $t_billing_rows; }
/** * Delete a note given its id. * * @param string $p_username The name of the user trying to add a note to an issue. * @param string $p_password The password of the user. * @param integer $p_issue_note_id The id of the note to be deleted. * @return true: success, false: failure */ function mc_issue_note_delete($p_username, $p_password, $p_issue_note_id) { $t_user_id = mci_check_login($p_username, $p_password); if ($t_user_id === false) { return mci_soap_fault_login_failed(); } if ((int) $p_issue_note_id < 1) { return new soap_fault('Client', '', "Invalid issue note id '{$p_issue_note_id}'."); } if (!bugnote_exists($p_issue_note_id)) { return new soap_fault('Client', '', "Issue note '{$p_issue_note_id}' does not exist."); } $t_issue_id = bugnote_get_field($p_issue_note_id, 'bug_id'); $t_project_id = bug_get_field($t_issue_id, 'project_id'); if (!mci_has_readwrite_access($t_user_id, $t_project_id)) { return mci_soap_fault_access_denied($t_user_id); } $t_reporter_id = bugnote_get_field($p_issue_note_id, 'reporter_id'); // mirrors check from bugnote_delete.php if ($t_user_id == $t_reporter_id) { $t_threshold_config_name = 'bugnote_user_delete_threshold'; } else { $t_threshold_config_name = 'delete_bugnote_threshold'; } if (!access_has_bugnote_level(config_get($t_threshold_config_name), $p_issue_note_id)) { return mci_soap_fault_access_denied($t_user_id); } return bugnote_delete($p_issue_note_id); }
/** * Update a note * * @param string $p_username The name of the user trying to add a note to an issue. * param string $p_password The password of the user. * @param IssueNoteData $p_note The note to update. * @return true on success, false on failure */ function mc_issue_note_update($p_username, $p_password, $p_note) { $t_user_id = mci_check_login($p_username, $p_password); if ($t_user_id === false) { return mci_soap_fault_login_failed(); } if (!isset($p_note['id']) || is_blank($p_note['id'])) { return new soap_fault('Client', '', "Issue note id must not be blank."); } if (!isset($p_note['text']) || is_blank($p_note['text'])) { return new soap_fault('Client', '', "Issue note text must not be blank."); } $t_issue_note_id = $p_note['id']; if (!bugnote_exists($t_issue_note_id)) { return new soap_fault('Server', '', "Issue note '{$t_issue_note_id}' does not exist."); } $t_issue_id = bugnote_get_field($t_issue_note_id, 'bug_id'); $t_project_id = bug_get_field($t_issue_id, 'project_id'); if (!mci_has_readwrite_access($t_user_id, $t_project_id)) { return mci_soap_fault_access_denied($t_user_id); } $t_issue_author_id = bugnote_get_field($t_issue_note_id, 'reporter_id'); # Check if the user owns the bugnote and is allowed to update their own bugnotes # regardless of the update_bugnote_threshold level. $t_user_owns_the_bugnote = bugnote_is_user_reporter($t_issue_note_id, $t_user_id); $t_user_can_update_own_bugnote = config_get('bugnote_allow_user_edit_delete', null, $t_user_id, $t_project_id); if ($t_user_owns_the_bugnote && !$t_user_can_update_own_bugnote) { return mci_soap_fault_access_denied($t_user_id); } # Check if the user has an access level beyond update_bugnote_threshold for the # project containing the bugnote to update. $t_update_bugnote_threshold = config_get('update_bugnote_threshold', null, $t_user_id, $t_project_id); if (!$t_user_owns_the_bugnote && !access_has_bugnote_level($t_update_bugnote_threshold, $t_issue_note_id, $t_user_id)) { return mci_soap_fault_access_denied($t_user_id); } # Check if the bug is readonly if (bug_is_readonly($t_issue_id)) { return mci_soap_fault_access_denied($t_user_id, "Issue ' . {$t_issue_id} . ' is readonly"); } if (isset($p_note['view_state'])) { $t_view_state = $p_note['view_state']; $t_view_state_id = mci_get_enum_id_from_objectref('view_state', $t_view_state); bugnote_set_view_state($t_issue_note_id, $t_view_state_id); } bugnote_set_text($t_issue_note_id, $p_note['text']); return bugnote_date_update($t_issue_note_id); }