From e8cd6abc6e8921223a7a290088153bffc364e9d5 Mon Sep 17 00:00:00 2001
From: canyonknight <canyonknight@gmail.com>
Date: Thu, 9 Aug 2012 21:15:50 -0400
Subject: Allow only Trusted Users, Developers, and Maintainers to unflag
 packages

Currently everyone is allowed to unflag a package as out of date. This should
be limited to only the appropriate people for a specific package.

Fixes FS#27263

Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
---
 web/lib/pkgfuncs.inc.php      | 4 ++++
 web/template/actions_form.php | 3 ++-
 web/template/pkg_details.php  | 3 ++-
 3 files changed, 8 insertions(+), 2 deletions(-)

(limited to 'web')

diff --git a/web/lib/pkgfuncs.inc.php b/web/lib/pkgfuncs.inc.php
index 6fad628..c592e39 100644
--- a/web/lib/pkgfuncs.inc.php
+++ b/web/lib/pkgfuncs.inc.php
@@ -728,6 +728,10 @@ function pkg_flag ($atype, $ids, $action=true, $dbh=NULL) {
 	}
 	$q.= " WHERE ID IN (" . implode(",", $ids) . ")";
 
+	if (!$action && ($atype != "Trusted User" && $atype != "Developer")) {
+		$q.= "AND MaintainerUID = " . uid_from_sid($_COOKIE["AURSID"], $dbh);
+	}
+
 	db_query($q, $dbh);
 
 	if ($action) {
diff --git a/web/template/actions_form.php b/web/template/actions_form.php
index bfc0611..d687f50 100644
--- a/web/template/actions_form.php
+++ b/web/template/actions_form.php
@@ -21,7 +21,8 @@
 
 		<?php if ($row["OutOfDateTS"] === NULL): ?>
 			<input type="submit" class="button" name="do_Flag" value="<?php echo __("Flag Out-of-date") ?>" />
-		<?php else: ?>
+		<?php elseif (($row["OutOfDateTS"] !== NULL) &&
+		($uid == $row["MaintainerUID"] || $atype == "Trusted User" || $atype == "Developer")): ?>
 			<input type="submit" class="button" name="do_UnFlag" value="<?php echo __("UnFlag Out-of-date") ?>" />
 		<?php endif; ?>
 		<?php endif; ?>
diff --git a/web/template/pkg_details.php b/web/template/pkg_details.php
index da173ec..7176e10 100644
--- a/web/template/pkg_details.php
+++ b/web/template/pkg_details.php
@@ -40,7 +40,8 @@ $sources = package_sources($row["ID"]);
 				<?php if ($USE_VIRTUAL_URLS && $uid): ?>
 				<?php if ($row["OutOfDateTS"] === NULL): ?>
 				<li><a href="<?php echo get_pkg_uri($row['Name']) . 'flag/'; ?>"><?php echo __('Flag package out-of-date'); ?></a></li>
-				<?php else: ?>
+				<?php elseif (($row["OutOfDateTS"] !== NULL) &&
+				($uid == $row["MaintainerUID"] || $atype == "Trusted User" || $atype == "Developer")): ?>
 				<li><a href="<?php echo get_pkg_uri($row['Name']) . 'unflag/'; ?>"><?php echo __('Unflag package'); ?></a></li>
 				<?php endif; ?>
 				<?php if (user_voted($uid, $row['ID'])): ?>
-- 
cgit v1.2.3-54-g00ecf