Skip to content
Snippets Groups Projects
Commit 9bce9860 authored by Jared Hancock's avatar Jared Hancock
Browse files

forms: Fix attachment security merge conflict 

Somehow the attachment security checks got duplicated and messed up. Perhaps
it was a bad merge?
parent c2e81b8f
Branches
Tags
No related merge requests found
Hide whitespace changes
Inline Side-by-side
Showing
with 11 additions and 25 deletions
include/class.forms.php
+ 11
25
View file @ 9bce9860
...@@ -3675,8 +3675,9 @@ class FileUploadWidget extends Widget { ...@@ -3675,8 +3675,9 @@ class FileUploadWidget extends Widget {
// Add in newly added files not yet saved (if redisplaying after an // Add in newly added files not yet saved (if redisplaying after an
// error) // error)
if ($new) { if ($new) {
$F = array_merge($F, AttachmentFile::objects()->filter(array( $F = array_merge($F, AttachmentFile::objects()
'id__in' => array_keys($new)))->all()); ->filter(array('id__in' => array_keys($new)))
->all());
} }
foreach ($F as $file) { foreach ($F as $file) {
$files[] = array( $files[] = array(
...@@ -3730,33 +3731,18 @@ class FileUploadWidget extends Widget { ...@@ -3730,33 +3731,18 @@ class FileUploadWidget extends Widget {
return $ids; return $ids;
} }
// Files uploaded here MUST have been uploaded by this user and
// identified in the session
//
// If no value was sent, assume an empty list // If no value was sent, assume an empty list
if (!($files = parent::getValue())) if (!($files = parent::getValue()))
return array(); return array();
// Files uploaded here MUST have been uploaded by this user and $allowed = array();
// identified in the session // Files already attached to the field are allowed
if ($files = parent::getValue()) { foreach ($this->field->getFiles() as $F) {
$allowed = array(); // FIXME: This will need special porting in v1.10
// Files already attached to the field are allowed $allowed[$F->id] = 1;
foreach ($this->field->getFiles() as $F) {
// FIXME: This will need special porting in v1.10
$allowed[$F->id] = 1;
}
// New files uploaded in this session are allowed
if (isset($_SESSION[':uploadedFiles'])) {
$allowed += $_SESSION[':uploadedFiles'];
}
// Canned attachments initiated by this session
if (isset($_SESSION[':cannedFiles']))
$allowed += $_SESSION[':cannedFiles'];
foreach ($files as $i=>$F) {
if (!isset($allowed[$F])) {
unset($files[$i]);
}
}
} }
// New files uploaded in this session are allowed // New files uploaded in this session are allowed
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment