summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorSimon Green <simon@simongreen.net>2015-04-13 22:42:14 +0200
committerDavid Lawrence <dkl@mozilla.com>2015-04-13 22:42:14 +0200
commit802a5cccd273b9c9bc25d3251452147cb84f5571 (patch)
tree7ec5cf03d4b5bd20b95948c3206178e80f8491f8
parent0bcbc0faba0a0ed80eab653d3a696764686d202c (diff)
downloadbugzilla-802a5cccd273b9c9bc25d3251452147cb84f5571.tar.gz
bugzilla-802a5cccd273b9c9bc25d3251452147cb84f5571.tar.xz
Bug 1151290: It is possible to tell if someone made a private comment on a bug even if you are not an 'insider'
r=dkl,a=glob
-rw-r--r--Bugzilla/Search.pm10
1 files changed, 8 insertions, 2 deletions
diff --git a/Bugzilla/Search.pm b/Bugzilla/Search.pm
index e06e706a7..5cf36a761 100644
--- a/Bugzilla/Search.pm
+++ b/Bugzilla/Search.pm
@@ -2520,11 +2520,17 @@ sub _user_nonchanged {
sub _long_desc_changedby {
my ($self, $args) = @_;
my ($chart_id, $joins, $value) = @$args{qw(chart_id joins value)};
-
+
my $table = "longdescs_$chart_id";
push(@$joins, { table => 'longdescs', as => $table });
my $user_id = $self->_get_user_id($value);
$args->{term} = "$table.who = $user_id";
+
+ # If the user is not part of the insiders group, they cannot see
+ # private comments
+ if (!$self->_user->is_insider) {
+ $args->{term} .= " AND $table.isprivate = 0";
+ }
}
sub _long_desc_changedbefore_after {
@@ -2532,7 +2538,7 @@ sub _long_desc_changedbefore_after {
my ($chart_id, $operator, $value, $joins) =
@$args{qw(chart_id operator value joins)};
my $dbh = Bugzilla->dbh;
-
+
my $sql_operator = ($operator =~ /before/) ? '<=' : '>=';
my $table = "longdescs_$chart_id";
my $sql_date = $dbh->quote(SqlifyDate($value));