diff options
author | SImon Green <sgreen+mozilla@redhat.com> | 2012-08-07 06:57:11 +0200 |
---|---|---|
committer | Byron Jones <bjones@mozilla.com> | 2012-08-07 06:57:11 +0200 |
commit | 390de95d9f3f08e943298942ab69780758e76944 (patch) | |
tree | 6cfa3d8bdabdc6890fd571154c09ec1871599b80 | |
parent | aefdf269ff52f02c16a350329f485c041479507e (diff) | |
download | bugzilla-390de95d9f3f08e943298942ab69780758e76944.tar.gz bugzilla-390de95d9f3f08e943298942ab69780758e76944.tar.xz |
Bug 779709: Don't allow searching on changes to private attachments or comments
r=glob, a=LpSolit
-rw-r--r-- | Bugzilla/Search.pm | 39 |
1 files changed, 36 insertions, 3 deletions
diff --git a/Bugzilla/Search.pm b/Bugzilla/Search.pm index 21a952e9c..fbbc39a4e 100644 --- a/Bugzilla/Search.pm +++ b/Bugzilla/Search.pm @@ -2296,6 +2296,12 @@ sub _long_desc_changedbefore_after { }; push(@$joins, $join); $args->{term} = "$table.bug_when IS NOT NULL"; + + # If the user is not part of the insiders group, they cannot see + # private comments + if (!$self->_user->is_insider) { + $args->{term} .= " AND $table.isprivate = 0"; + } } sub _content_matches { @@ -2778,8 +2784,10 @@ sub _changedbefore_changedafter { extra => ["$table.fieldid = $field_id", "$table.bug_when $sql_operator $sql_date"], }; - push(@$joins, $join); + $args->{term} = "$table.bug_when IS NOT NULL"; + $self->_changed_security_check($args, $join); + push(@$joins, $join); } sub _changedfrom_changedto { @@ -2798,9 +2806,10 @@ sub _changedfrom_changedto { extra => ["$table.fieldid = $field_id", "$table.$column = $quoted"], }; - push(@$joins, $join); $args->{term} = "$table.bug_when IS NOT NULL"; + $self->_changed_security_check($args, $join); + push(@$joins, $join); } sub _changedby { @@ -2819,8 +2828,32 @@ sub _changedby { extra => ["$table.fieldid = $field_id", "$table.who = $user_id"], }; - push(@$joins, $join); + $args->{term} = "$table.bug_when IS NOT NULL"; + $self->_changed_security_check($args, $join); + push(@$joins, $join); +} + +sub _changed_security_check { + my ($self, $args, $join) = @_; + my ($chart_id, $field) = @$args{qw(chart_id field)}; + + my $field_object = $self->_chart_fields->{$field} + || ThrowCodeError("invalid_field_name", { field => $field }); + my $field_id = $field_object->id; + + # If the user is not part of the insiders group, they cannot see + # changes to attachments (including attachment flags) that are private + if ($field =~ /^(?:flagtypes\.name$|attach)/ and !$self->_user->is_insider) { + $join->{then_to} = { + as => "attach_${field_id}_$chart_id", + table => 'attachments', + from => "act_${field_id}_$chart_id.attach_id", + to => 'attach_id', + }; + + $args->{term} .= " AND COALESCE(attach_${field_id}_$chart_id.isprivate, 0) = 0"; + } } ###################### |