summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorSImon Green <sgreen+mozilla@redhat.com>2012-08-07 06:59:38 +0200
committerByron Jones <bjones@mozilla.com>2012-08-07 06:59:38 +0200
commit7c35aa81182fe6213876233627964d5515344e6a (patch)
treefe8f647d7ecb3811fa095d706ce8e6f7d29200cb
parent2137f365677d836e3d3c55c81634d0f732fecdfe (diff)
downloadbugzilla-7c35aa81182fe6213876233627964d5515344e6a.tar.gz
bugzilla-7c35aa81182fe6213876233627964d5515344e6a.tar.xz
Bug 779709: Don't allow searching on changes to private attachments or comments
r=glob, a=LpSolit
-rw-r--r--Bugzilla/Search.pm39
1 files changed, 36 insertions, 3 deletions
diff --git a/Bugzilla/Search.pm b/Bugzilla/Search.pm
index 9cab49ab8..9a5e888bc 100644
--- a/Bugzilla/Search.pm
+++ b/Bugzilla/Search.pm
@@ -2313,6 +2313,12 @@ sub _long_desc_changedbefore_after {
};
push(@$joins, $join);
$args->{term} = "$table.bug_when IS NOT NULL";
+
+ # If the user is not part of the insiders group, they cannot see
+ # private comments
+ if (!$self->_user->is_insider) {
+ $args->{term} .= " AND $table.isprivate = 0";
+ }
}
sub _content_matches {
@@ -2795,8 +2801,10 @@ sub _changedbefore_changedafter {
extra => ["$table.fieldid = $field_id",
"$table.bug_when $sql_operator $sql_date"],
};
- push(@$joins, $join);
+
$args->{term} = "$table.bug_when IS NOT NULL";
+ $self->_changed_security_check($args, $join);
+ push(@$joins, $join);
}
sub _changedfrom_changedto {
@@ -2815,9 +2823,10 @@ sub _changedfrom_changedto {
extra => ["$table.fieldid = $field_id",
"$table.$column = $quoted"],
};
- push(@$joins, $join);
$args->{term} = "$table.bug_when IS NOT NULL";
+ $self->_changed_security_check($args, $join);
+ push(@$joins, $join);
}
sub _changedby {
@@ -2836,8 +2845,32 @@ sub _changedby {
extra => ["$table.fieldid = $field_id",
"$table.who = $user_id"],
};
- push(@$joins, $join);
+
$args->{term} = "$table.bug_when IS NOT NULL";
+ $self->_changed_security_check($args, $join);
+ push(@$joins, $join);
+}
+
+sub _changed_security_check {
+ my ($self, $args, $join) = @_;
+ my ($chart_id, $field) = @$args{qw(chart_id field)};
+
+ my $field_object = $self->_chart_fields->{$field}
+ || ThrowCodeError("invalid_field_name", { field => $field });
+ my $field_id = $field_object->id;
+
+ # If the user is not part of the insiders group, they cannot see
+ # changes to attachments (including attachment flags) that are private
+ if ($field =~ /^(?:flagtypes\.name$|attach)/ and !$self->_user->is_insider) {
+ $join->{then_to} = {
+ as => "attach_${field_id}_$chart_id",
+ table => 'attachments',
+ from => "act_${field_id}_$chart_id.attach_id",
+ to => 'attach_id',
+ };
+
+ $args->{term} .= " AND COALESCE(attach_${field_id}_$chart_id.isprivate, 0) = 0";
+ }
}
######################