diff options
author | Dave Lawrence <dlawrence@mozilla.com> | 2014-02-25 22:31:40 +0100 |
---|---|---|
committer | Dave Lawrence <dlawrence@mozilla.com> | 2014-02-25 22:31:40 +0100 |
commit | 3ff1cbe6e067833673c6e5d2e64d76613398ed69 (patch) | |
tree | 59317c2c79668ffd19256f621b8e826c14aba7a7 | |
parent | 0446b5c7b035bcfe9d54d863e8de3864d712c542 (diff) | |
download | bugzilla-3ff1cbe6e067833673c6e5d2e64d76613398ed69.tar.gz bugzilla-3ff1cbe6e067833673c6e5d2e64d76613398ed69.tar.xz |
Bug 962060 - User.get ignores the "maxusermatches" parameter and allows listing all email addresses
r=LpSolit,a=justdave
-rw-r--r-- | Bugzilla/WebService/User.pm | 28 |
1 files changed, 22 insertions, 6 deletions
diff --git a/Bugzilla/WebService/User.pm b/Bugzilla/WebService/User.pm index c440d135d..f3012ebc5 100644 --- a/Bugzilla/WebService/User.pm +++ b/Bugzilla/WebService/User.pm @@ -16,10 +16,10 @@ use Bugzilla::Constants; use Bugzilla::Error; use Bugzilla::Group; use Bugzilla::User; -use Bugzilla::Util qw(trim); +use Bugzilla::Util qw(trim detaint_natural); use Bugzilla::WebService::Util qw(filter filter_wants validate translate params_to_objects); -use List::Util qw(first); +use List::Util qw(first min); # Don't need auth to login use constant LOGIN_EXEMPT => { @@ -209,12 +209,17 @@ sub get { userid => $obj->id}); } } - + # User Matching - my $limit; - if ($params->{'maxusermatches'}) { - $limit = $params->{'maxusermatches'} + 1; + my $limit = Bugzilla->params->{maxusermatches}; + if ($params->{limit}) { + detaint_natural($params->{limit}) + || ThrowCodeError('param_must_be_numeric', + { function => 'Bugzilla::WebService::User::match', + param => 'limit' }); + $limit = $limit ? min($params->{limit}, $limit) : $params->{limit}; } + my $exclude_disabled = $params->{'include_disabled'} ? 0 : 1; foreach my $match_string (@{ $params->{'match'} || [] }) { my $matched = Bugzilla::User::match($match_string, $limit, $exclude_disabled); @@ -865,6 +870,13 @@ if they try. (This is to make it harder for spammers to harvest email addresses from Bugzilla, and also to enforce the user visibility restrictions that are implemented on some Bugzillas.) +=item C<limit> (int) + +Limit the number of users matched by the C<match> parameter. If value +is greater than the system limit, the system limit will be used. This +parameter is only used when user matching using the C<match> parameter +is being performed. + =item C<group_ids> (array) =item C<groups> (array) @@ -1009,6 +1021,10 @@ querying your own account, even if you are in the editusers group. You passed an invalid login name in the "names" array or a bad group ID in the C<group_ids> argument. +=item 52 (Invalid Parameter) + +The value used must be an integer greater than zero. + =item 304 (Authorization Required) You are logged in, but you are not authorized to see one of the users you |