diff options
author | lpsolit%gmail.com <> | 2007-08-23 22:41:22 +0200 |
---|---|---|
committer | lpsolit%gmail.com <> | 2007-08-23 22:41:22 +0200 |
commit | cda6e20b9ab268a042b51f9ef868849c1da62d98 (patch) | |
tree | 576e26bd5ba662b42afdef63f71a2213fa8a102f | |
parent | 63e7d4ae05d9eeff9a7d8a2613d8b70012d036fa (diff) | |
download | bugzilla-cda6e20b9ab268a042b51f9ef868849c1da62d98.tar.gz bugzilla-cda6e20b9ab268a042b51f9ef868849c1da62d98.tar.xz |
Bug 382056: [SECURITY] Bugzilla::Webservice::Bug->get_bugs() doesn't check if the user is in the timetracking group when returning data - Patch by Frédéric Buclin <LpSolit@gmail.com> r=mkanat a=LpSolit
-rwxr-xr-x | Bugzilla/WebService/Bug.pm | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/Bugzilla/WebService/Bug.pm b/Bugzilla/WebService/Bug.pm index a2710c482..14ed2e7fd 100755 --- a/Bugzilla/WebService/Bug.pm +++ b/Bugzilla/WebService/Bug.pm @@ -70,6 +70,13 @@ sub get_bugs { ValidateBugID($bug_id); my $bug = new Bugzilla::Bug($bug_id); + # Timetracking fields are deleted if the user doesn't belong to + # the corresponding group. + unless (Bugzilla->user->in_group(Bugzilla->params->{'timetrackinggroup'})) { + delete $bug->{'estimated_time'}; + delete $bug->{'remaining_time'}; + delete $bug->{'deadline'}; + } # This is done in this fashion in order to produce a stable API. # The internals of Bugzilla::Bug are not stable enough to just # return them directly. |