Bug 346086: [SECURITY] attachment.cgi lets you view descriptions of private attachments even when you are not in the insidergroup - Patch by Frédéric Buclin <LpSolit@gmail.com> r=myk a=justdave

author: lpsolit%gmail.com <> 2006-10-15 06:04:55 +0200
committer: lpsolit%gmail.com <> 2006-10-15 06:04:55 +0200
commit: 79b572263ea0dfcc1638757057825c3e6a2ee38d (patch)
tree: 2d373b78667d1af5e6ba588f28143229dbb2da77 /Bugzilla/User.pm
parent: b0ddda44bee03e94f04368dd68e8c0784de4a945 (diff)
download: bugzilla-79b572263ea0dfcc1638757057825c3e6a2ee38d.tar.gz
bugzilla-79b572263ea0dfcc1638757057825c3e6a2ee38d.tar.xz
1 files changed, 16 insertions, 0 deletions
diff --git a/Bugzilla/User.pm b/Bugzilla/User.pm
index 19a72b9e7..02f17b85d 100644
--- a/Bugzilla/User.pm
+++ b/Bugzilla/User.pm
@@ -1348,6 +1348,17 @@ sub is_mover {
     return $self->{'is_mover'};
 }
 
+sub is_insider {
+    my $self = shift;
+
+    if (!defined $self->{'is_insider'}) {
+        my $insider_group = Bugzilla->params->{'insidergroup'};
+        $self->{'is_insider'} =
+            ($insider_group && $self->in_group($insider_group)) ? 1 : 0;
+    }
+    return $self->{'is_insider'};
+}
+
 sub get_userlist {
     my $self = shift;
 
@@ -1886,6 +1897,11 @@ Returns true if the user is in the list of users allowed to move bugs
 to another database. Note that this method doesn't check whether bug
 moving is enabled.
 
+=item C<is_insider>
+
+Returns true if the user can access private comments and attachments,
+i.e. if the 'insidergroup' parameter is set and the user belongs to this group.
+
 =back
 
 =head1 CLASS FUNCTIONS
author	lpsolit%gmail.com <>	2006-10-15 06:04:55 +0200
committer	lpsolit%gmail.com <>	2006-10-15 06:04:55 +0200
commit	79b572263ea0dfcc1638757057825c3e6a2ee38d (patch)
tree	2d373b78667d1af5e6ba588f28143229dbb2da77 /Bugzilla/User.pm
parent	b0ddda44bee03e94f04368dd68e8c0784de4a945 (diff)
download	bugzilla-79b572263ea0dfcc1638757057825c3e6a2ee38d.tar.gz bugzilla-79b572263ea0dfcc1638757057825c3e6a2ee38d.tar.xz