diff options
| author | SImon Green <sgreen+mozilla@redhat.com> | 2012-08-07 06:59:38 +0200 |
|---|---|---|
| committer | Byron Jones <bjones@mozilla.com> | 2012-08-07 06:59:38 +0200 |
| commit | 7c35aa81182fe6213876233627964d5515344e6a (patch) | |
| tree | fe8f647d7ecb3811fa095d706ce8e6f7d29200cb | |
| parent | 2137f365677d836e3d3c55c81634d0f732fecdfe (diff) | |
| download | bugzilla-7c35aa81182fe6213876233627964d5515344e6a.tar.gz bugzilla-7c35aa81182fe6213876233627964d5515344e6a.tar.xz | |
Bug 779709: Don't allow searching on changes to private attachments or comments
r=glob, a=LpSolit
| -rw-r--r-- | Bugzilla/Search.pm | 39 |
1 files changed, 36 insertions, 3 deletions
diff --git a/Bugzilla/Search.pm b/Bugzilla/Search.pm index 9cab49ab8..9a5e888bc 100644 --- a/Bugzilla/Search.pm +++ b/Bugzilla/Search.pm @@ -2313,6 +2313,12 @@ sub _long_desc_changedbefore_after { }; push(@$joins, $join); $args->{term} = "$table.bug_when IS NOT NULL"; + + # If the user is not part of the insiders group, they cannot see + # private comments + if (!$self->_user->is_insider) { + $args->{term} .= " AND $table.isprivate = 0"; + } } sub _content_matches { @@ -2795,8 +2801,10 @@ sub _changedbefore_changedafter { extra => ["$table.fieldid = $field_id", "$table.bug_when $sql_operator $sql_date"], }; - push(@$joins, $join); + $args->{term} = "$table.bug_when IS NOT NULL"; + $self->_changed_security_check($args, $join); + push(@$joins, $join); } sub _changedfrom_changedto { @@ -2815,9 +2823,10 @@ sub _changedfrom_changedto { extra => ["$table.fieldid = $field_id", "$table.$column = $quoted"], }; - push(@$joins, $join); $args->{term} = "$table.bug_when IS NOT NULL"; + $self->_changed_security_check($args, $join); + push(@$joins, $join); } sub _changedby { @@ -2836,8 +2845,32 @@ sub _changedby { extra => ["$table.fieldid = $field_id", "$table.who = $user_id"], }; - push(@$joins, $join); + $args->{term} = "$table.bug_when IS NOT NULL"; + $self->_changed_security_check($args, $join); + push(@$joins, $join); +} + +sub _changed_security_check { + my ($self, $args, $join) = @_; + my ($chart_id, $field) = @$args{qw(chart_id field)}; + + my $field_object = $self->_chart_fields->{$field} + || ThrowCodeError("invalid_field_name", { field => $field }); + my $field_id = $field_object->id; + + # If the user is not part of the insiders group, they cannot see + # changes to attachments (including attachment flags) that are private + if ($field =~ /^(?:flagtypes\.name$|attach)/ and !$self->_user->is_insider) { + $join->{then_to} = { + as => "attach_${field_id}_$chart_id", + table => 'attachments', + from => "act_${field_id}_$chart_id.attach_id", + to => 'attach_id', + }; + + $args->{term} .= " AND COALESCE(attach_${field_id}_$chart_id.isprivate, 0) = 0"; + } } ###################### |