diff options
author | lpsolit%gmail.com <> | 2006-10-15 06:04:55 +0200 |
---|---|---|
committer | lpsolit%gmail.com <> | 2006-10-15 06:04:55 +0200 |
commit | 79b572263ea0dfcc1638757057825c3e6a2ee38d (patch) | |
tree | 2d373b78667d1af5e6ba588f28143229dbb2da77 /Bugzilla/User.pm | |
parent | b0ddda44bee03e94f04368dd68e8c0784de4a945 (diff) | |
download | bugzilla-79b572263ea0dfcc1638757057825c3e6a2ee38d.tar.gz bugzilla-79b572263ea0dfcc1638757057825c3e6a2ee38d.tar.xz |
Bug 346086: [SECURITY] attachment.cgi lets you view descriptions of private attachments even when you are not in the insidergroup - Patch by Frédéric Buclin <LpSolit@gmail.com> r=myk a=justdave
Diffstat (limited to 'Bugzilla/User.pm')
-rw-r--r-- | Bugzilla/User.pm | 16 |
1 files changed, 16 insertions, 0 deletions
diff --git a/Bugzilla/User.pm b/Bugzilla/User.pm index 19a72b9e7..02f17b85d 100644 --- a/Bugzilla/User.pm +++ b/Bugzilla/User.pm @@ -1348,6 +1348,17 @@ sub is_mover { return $self->{'is_mover'}; } +sub is_insider { + my $self = shift; + + if (!defined $self->{'is_insider'}) { + my $insider_group = Bugzilla->params->{'insidergroup'}; + $self->{'is_insider'} = + ($insider_group && $self->in_group($insider_group)) ? 1 : 0; + } + return $self->{'is_insider'}; +} + sub get_userlist { my $self = shift; @@ -1886,6 +1897,11 @@ Returns true if the user is in the list of users allowed to move bugs to another database. Note that this method doesn't check whether bug moving is enabled. +=item C<is_insider> + +Returns true if the user can access private comments and attachments, +i.e. if the 'insidergroup' parameter is set and the user belongs to this group. + =back =head1 CLASS FUNCTIONS |