[aur-dev] [PATCH 1/3] Fix the permission check in pkgbase_adopt()

[Lukas Fleischer]

Filter the affected package bases before closing any package requests.

Signed-off-by: Lukas Fleischer <lfleischer at archlinux.org>
---
 web/lib/pkgbasefuncs.inc.php | 28 ++++++++++++++++++----------
 1 file changed, 18 insertions(+), 10 deletions(-)

diff --git a/web/lib/pkgbasefuncs.inc.php b/web/lib/pkgbasefuncs.inc.php
index 50cb47e..d10b5ad 100644
--- a/web/lib/pkgbasefuncs.inc.php
+++ b/web/lib/pkgbasefuncs.inc.php
@@ -579,7 +579,25 @@ function pkgbase_adopt ($base_ids, $action=true, $via) {
 		}
 	}
 
+	/* Verify package ownership. */
 	$base_ids = sanitize_ids($base_ids);
+
+	$q = "SELECT ID FROM PackageBases ";
+	$q.= "WHERE ID IN (" . implode(",", $base_ids) . ") ";
+
+	if ($action && !has_credential(CRED_PKGBASE_ADOPT)) {
+		/* Regular users may only adopt orphan packages. */
+		$q.= "AND MaintainerUID IS NULL";
+	}
+	if (!$action && !has_credential(CRED_PKGBASE_DISOWN)) {
+		/* Regular users may only disown their own packages. */
+		$q.= "AND MaintainerUID = " . $uid;
+	}
+
+	$result = $dbh->query($q);
+	$base_ids = $result->fetchAll(PDO::FETCH_COLUMN, 0);
+
+	/* Error out if the list of remaining packages is empty. */
 	if (empty($base_ids)) {
 		if ($action) {
 			return array(false, __("You did not select any packages to adopt."));
@@ -618,16 +636,6 @@ function pkgbase_adopt ($base_ids, $action=true, $via) {
 		$q.= "SET MaintainerUID = NULL ";
 	}
 	$q.= "WHERE ID IN (" . implode(",", $base_ids) . ") ";
-
-	if ($action && !has_credential(CRED_PKGBASE_ADOPT)) {
-		/* Regular users may only adopt orphan packages. */
-		$q.= "AND MaintainerUID IS NULL";
-	}
-	if (!$action && !has_credential(CRED_PKGBASE_DISOWN)) {
-		/* Regular users may only disown their own packages. */
-		$q.= "AND MaintainerUID = " . $uid;
-	}
-
 	$dbh->exec($q);
 
 	if ($action) {
-- 
2.4.1