summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDave Lawrence <dlawrence@mozilla.com>2014-02-25 22:31:40 +0100
committerDave Lawrence <dlawrence@mozilla.com>2014-02-25 22:31:40 +0100
commit3ff1cbe6e067833673c6e5d2e64d76613398ed69 (patch)
tree59317c2c79668ffd19256f621b8e826c14aba7a7
parent0446b5c7b035bcfe9d54d863e8de3864d712c542 (diff)
downloadbugzilla-3ff1cbe6e067833673c6e5d2e64d76613398ed69.tar.gz
bugzilla-3ff1cbe6e067833673c6e5d2e64d76613398ed69.tar.xz
Bug 962060 - User.get ignores the "maxusermatches" parameter and allows listing all email addresses
r=LpSolit,a=justdave
-rw-r--r--Bugzilla/WebService/User.pm28
1 files changed, 22 insertions, 6 deletions
diff --git a/Bugzilla/WebService/User.pm b/Bugzilla/WebService/User.pm
index c440d135d..f3012ebc5 100644
--- a/Bugzilla/WebService/User.pm
+++ b/Bugzilla/WebService/User.pm
@@ -16,10 +16,10 @@ use Bugzilla::Constants;
use Bugzilla::Error;
use Bugzilla::Group;
use Bugzilla::User;
-use Bugzilla::Util qw(trim);
+use Bugzilla::Util qw(trim detaint_natural);
use Bugzilla::WebService::Util qw(filter filter_wants validate translate params_to_objects);
-use List::Util qw(first);
+use List::Util qw(first min);
# Don't need auth to login
use constant LOGIN_EXEMPT => {
@@ -209,12 +209,17 @@ sub get {
userid => $obj->id});
}
}
-
+
# User Matching
- my $limit;
- if ($params->{'maxusermatches'}) {
- $limit = $params->{'maxusermatches'} + 1;
+ my $limit = Bugzilla->params->{maxusermatches};
+ if ($params->{limit}) {
+ detaint_natural($params->{limit})
+ || ThrowCodeError('param_must_be_numeric',
+ { function => 'Bugzilla::WebService::User::match',
+ param => 'limit' });
+ $limit = $limit ? min($params->{limit}, $limit) : $params->{limit};
}
+
my $exclude_disabled = $params->{'include_disabled'} ? 0 : 1;
foreach my $match_string (@{ $params->{'match'} || [] }) {
my $matched = Bugzilla::User::match($match_string, $limit, $exclude_disabled);
@@ -865,6 +870,13 @@ if they try. (This is to make it harder for spammers to harvest email
addresses from Bugzilla, and also to enforce the user visibility
restrictions that are implemented on some Bugzillas.)
+=item C<limit> (int)
+
+Limit the number of users matched by the C<match> parameter. If value
+is greater than the system limit, the system limit will be used. This
+parameter is only used when user matching using the C<match> parameter
+is being performed.
+
=item C<group_ids> (array)
=item C<groups> (array)
@@ -1009,6 +1021,10 @@ querying your own account, even if you are in the editusers group.
You passed an invalid login name in the "names" array or a bad
group ID in the C<group_ids> argument.
+=item 52 (Invalid Parameter)
+
+The value used must be an integer greater than zero.
+
=item 304 (Authorization Required)
You are logged in, but you are not authorized to see one of the users you