diff options
author | Dylan William Hardison <dylan@mozilla.com> | 2014-08-20 07:44:17 +0200 |
---|---|---|
committer | Byron Jones <glob@mozilla.com> | 2014-08-20 07:44:17 +0200 |
commit | 0d7037f0ae1539f34e447fdbe0fbe0818add88b5 (patch) | |
tree | 6a8335f126e6d7ab38cda95c84c5ee8b011327e8 /extensions | |
parent | 3c28be9dca0e8d2a17acd70aff8cfac2b6b1b358 (diff) | |
download | bugzilla-0d7037f0ae1539f34e447fdbe0fbe0818add88b5.tar.gz bugzilla-0d7037f0ae1539f34e447fdbe0fbe0818add88b5.tar.xz |
Bug 1050628: flag state API doesn't honour bug or attachment security
Diffstat (limited to 'extensions')
-rw-r--r-- | extensions/Review/lib/WebService.pm | 14 |
1 files changed, 13 insertions, 1 deletions
diff --git a/extensions/Review/lib/WebService.pm b/extensions/Review/lib/WebService.pm index f5530dd49..8d10b5423 100644 --- a/extensions/Review/lib/WebService.pm +++ b/extensions/Review/lib/WebService.pm @@ -118,10 +118,22 @@ sub flag_activity { } my $matches = Bugzilla::Extension::Review::FlagStateActivity->match(\%match_criteria); - my @results = map { $self->_flag_state_activity_to_hash($_, $params) } @$matches; + my $user = Bugzilla->user; + $user->visible_bugs([ map { $_->bug_id } @$matches ]); + my @results = map { $self->_flag_state_activity_to_hash($_, $params) } + grep { $user->can_see_bug($_->bug_id) && _can_see_attachment($user, $_) } + @$matches; return \@results; } +sub _can_see_attachment { + my ($user, $flag_state_activity) = @_; + + return 1 if !$flag_state_activity->attachment_id; + return 0 if $flag_state_activity->attachment->isprivate && !$user->is_insider; + return 1; +} + sub rest_resources { return [ # bug-id |