[aur-dev] [PATCH 1/3] Fix the permission check in pkgbase_adopt()

Fri, 22 May 2015 08:30:06 -0700 

Filter the affected package bases before closing any package requests.

Signed-off-by: Lukas Fleischer <[email protected]>
---
 web/lib/pkgbasefuncs.inc.php | 28 ++++++++++++++++++----------
 1 file changed, 18 insertions(+), 10 deletions(-)

diff --git a/web/lib/pkgbasefuncs.inc.php b/web/lib/pkgbasefuncs.inc.php
index 50cb47e..d10b5ad 100644
--- a/web/lib/pkgbasefuncs.inc.php
+++ b/web/lib/pkgbasefuncs.inc.php
@@ -579,7 +579,25 @@ function pkgbase_adopt ($base_ids, $action=true, $via) {
                }
        }
 
+       /* Verify package ownership. */
        $base_ids = sanitize_ids($base_ids);
+
+       $q = "SELECT ID FROM PackageBases ";
+       $q.= "WHERE ID IN (" . implode(",", $base_ids) . ") ";
+
+       if ($action && !has_credential(CRED_PKGBASE_ADOPT)) {
+               /* Regular users may only adopt orphan packages. */
+               $q.= "AND MaintainerUID IS NULL";
+       }
+       if (!$action && !has_credential(CRED_PKGBASE_DISOWN)) {
+               /* Regular users may only disown their own packages. */
+               $q.= "AND MaintainerUID = " . $uid;
+       }
+
+       $result = $dbh->query($q);
+       $base_ids = $result->fetchAll(PDO::FETCH_COLUMN, 0);
+
+       /* Error out if the list of remaining packages is empty. */
        if (empty($base_ids)) {
                if ($action) {
                        return array(false, __("You did not select any packages 
to adopt."));
@@ -618,16 +636,6 @@ function pkgbase_adopt ($base_ids, $action=true, $via) {
                $q.= "SET MaintainerUID = NULL ";
        }
        $q.= "WHERE ID IN (" . implode(",", $base_ids) . ") ";
-
-       if ($action && !has_credential(CRED_PKGBASE_ADOPT)) {
-               /* Regular users may only adopt orphan packages. */
-               $q.= "AND MaintainerUID IS NULL";
-       }
-       if (!$action && !has_credential(CRED_PKGBASE_DISOWN)) {
-               /* Regular users may only disown their own packages. */
-               $q.= "AND MaintainerUID = " . $uid;
-       }
-
        $dbh->exec($q);
 
        if ($action) {
-- 
2.4.1

Reply via email to