Bug 382056: [SECURITY] Bugzilla::Webservice::Bug->get_bugs() doesn't check if the user is in the timetracking group when returning data - Patch by FrÃ©dÃ©ric Buclin <LpSolit@gmail.com> r=mkanat a=LpSolit

author: lpsolit%gmail.com <> 2007-08-23 22:41:22 +0200
committer: lpsolit%gmail.com <> 2007-08-23 22:41:22 +0200
commit: cda6e20b9ab268a042b51f9ef868849c1da62d98 (patch)
tree: 576e26bd5ba662b42afdef63f71a2213fa8a102f /Bugzilla
parent: 63e7d4ae05d9eeff9a7d8a2613d8b70012d036fa (diff)
download: bugzilla-cda6e20b9ab268a042b51f9ef868849c1da62d98.tar.gz
bugzilla-cda6e20b9ab268a042b51f9ef868849c1da62d98.tar.xz
1 files changed, 7 insertions, 0 deletions
diff --git a/Bugzilla/WebService/Bug.pm b/Bugzilla/WebService/Bug.pm
index a2710c482..14ed2e7fd 100755
--- a/Bugzilla/WebService/Bug.pm
+++ b/Bugzilla/WebService/Bug.pm
@@ -70,6 +70,13 @@ sub get_bugs {
         ValidateBugID($bug_id);
         my $bug = new Bugzilla::Bug($bug_id);
 
+        # Timetracking fields are deleted if the user doesn't belong to
+        # the corresponding group.
+        unless (Bugzilla->user->in_group(Bugzilla->params->{'timetrackinggroup'})) {
+            delete $bug->{'estimated_time'};
+            delete $bug->{'remaining_time'};
+            delete $bug->{'deadline'};
+        }
         # This is done in this fashion in order to produce a stable API.
         # The internals of Bugzilla::Bug are not stable enough to just
         # return them directly.
author	lpsolit%gmail.com <>	2007-08-23 22:41:22 +0200
committer	lpsolit%gmail.com <>	2007-08-23 22:41:22 +0200
commit	cda6e20b9ab268a042b51f9ef868849c1da62d98 (patch)
tree	576e26bd5ba662b42afdef63f71a2213fa8a102f /Bugzilla
parent	63e7d4ae05d9eeff9a7d8a2613d8b70012d036fa (diff)
download	bugzilla-cda6e20b9ab268a042b51f9ef868849c1da62d98.tar.gz bugzilla-cda6e20b9ab268a042b51f9ef868849c1da62d98.tar.xz