summaryrefslogtreecommitdiffstats
path: root/extensions
diff options
context:
space:
mode:
authorDylan William Hardison <dylan@mozilla.com>2014-08-20 07:44:17 +0200
committerByron Jones <glob@mozilla.com>2014-08-20 07:44:17 +0200
commit0d7037f0ae1539f34e447fdbe0fbe0818add88b5 (patch)
tree6a8335f126e6d7ab38cda95c84c5ee8b011327e8 /extensions
parent3c28be9dca0e8d2a17acd70aff8cfac2b6b1b358 (diff)
downloadbugzilla-0d7037f0ae1539f34e447fdbe0fbe0818add88b5.tar.gz
bugzilla-0d7037f0ae1539f34e447fdbe0fbe0818add88b5.tar.xz
Bug 1050628: flag state API doesn't honour bug or attachment security
Diffstat (limited to 'extensions')
-rw-r--r--extensions/Review/lib/WebService.pm14
1 files changed, 13 insertions, 1 deletions
diff --git a/extensions/Review/lib/WebService.pm b/extensions/Review/lib/WebService.pm
index f5530dd49..8d10b5423 100644
--- a/extensions/Review/lib/WebService.pm
+++ b/extensions/Review/lib/WebService.pm
@@ -118,10 +118,22 @@ sub flag_activity {
}
my $matches = Bugzilla::Extension::Review::FlagStateActivity->match(\%match_criteria);
- my @results = map { $self->_flag_state_activity_to_hash($_, $params) } @$matches;
+ my $user = Bugzilla->user;
+ $user->visible_bugs([ map { $_->bug_id } @$matches ]);
+ my @results = map { $self->_flag_state_activity_to_hash($_, $params) }
+ grep { $user->can_see_bug($_->bug_id) && _can_see_attachment($user, $_) }
+ @$matches;
return \@results;
}
+sub _can_see_attachment {
+ my ($user, $flag_state_activity) = @_;
+
+ return 1 if !$flag_state_activity->attachment_id;
+ return 0 if $flag_state_activity->attachment->isprivate && !$user->is_insider;
+ return 1;
+}
+
sub rest_resources {
return [
# bug-id