Bug 952284 - Tags set to private comments should not be disclosed to everybody in the bug activity table

r=LpSolit,a=sgreen

1 files changed, 11 insertions, 0 deletions

diff --git a/Bugzilla/Bug.pm b/Bugzilla/Bug.pm
index f0476c898..b4e8c361a 100644
--- a/Bugzilla/Bug.pm
+++ b/Bugzilla/Bug.pm
@@ -3872,6 +3872,15 @@ sub get_activity {
         && $include_comment_tags
         && !$attach_id)
     {
+        # Only includes comment tag activity for comments the user is allowed to see.
+        $suppjoins = "";
+        $suppwhere = "";
+        if (!Bugzilla->user->is_insider) {
+            $suppjoins = "INNER JOIN longdescs
+                          ON longdescs.comment_id = longdescs_tags_activity.comment_id";
+            $suppwhere = "AND longdescs.isprivate = 0";
+        }
+
         $query .= "
             UNION ALL
             SELECT 'comment_tag' AS name,
@@ -3883,8 +3892,10 @@ sub get_activity {
                    longdescs_tags_activity.comment_id as comment_id
               FROM longdescs_tags_activity
                    INNER JOIN profiles ON profiles.userid = longdescs_tags_activity.who
+                   $suppjoins
              WHERE longdescs_tags_activity.bug_id = ?
                    $datepart
+                   $suppwhere
         ";
         push @args, $self->id;
         push @args, $starttime if defined $starttime;