Patched minor security hole; don't show summary of bugs that the user

doesn't have permission to see.
author: terry%mozilla.org <> 1999-05-28 00:17:25 +0200
committer: terry%mozilla.org <> 1999-05-28 00:17:25 +0200
commit: f47c0339e2c258c878e6284970d917dcd3960cba (patch)
tree: ce7a23f45dfc55420b74e8cb4c7c4fb956261421 /showdependencytree.cgi
parent: 9b1a447768cf2986a77c341274a254f06fe9d79d (diff)
download: bugzilla-f47c0339e2c258c878e6284970d917dcd3960cba.tar.gz
bugzilla-f47c0339e2c258c878e6284970d917dcd3960cba.tar.xz
1 files changed, 7 insertions, 1 deletions
diff --git a/showdependencytree.cgi b/showdependencytree.cgi
index 92964648f..f457d67a3 100755
--- a/showdependencytree.cgi
+++ b/showdependencytree.cgi
@@ -37,6 +37,10 @@ PutHeader("Dependency tree", "Dependency tree", "Bug $linkedid");
 
 ConnectToDatabase();
 
+quietly_check_login();
+
+$::usergroupset = $::usergroupset; # More warning suppression silliness.
+
 my %seen;
 
 sub DumpKids {
@@ -53,8 +57,10 @@ sub DumpKids {
     if (@list) {
         print "<ul>\n";
         foreach my $kid (@list) {
-            SendSQL("select bug_status, short_desc from bugs where bug_id = $kid");
+            SendSQL("select bug_status, short_desc from bugs where bug_id = $kid and bugs.groupset & $::usergroupset = bugs.groupset");
             my ($stat, $short_desc) = (FetchSQLData());
+            $stat = "NEW" if !defined $stat;
+            $short_desc = "" if !defined $short_desc;
             my $opened = ($stat eq "NEW" || $stat eq "ASSIGNED" ||
                           $stat eq "REOPENED");
             print "<li>";
author	terry%mozilla.org <>	1999-05-28 00:17:25 +0200
committer	terry%mozilla.org <>	1999-05-28 00:17:25 +0200
commit	f47c0339e2c258c878e6284970d917dcd3960cba (patch)
tree	ce7a23f45dfc55420b74e8cb4c7c4fb956261421 /showdependencytree.cgi
parent	9b1a447768cf2986a77c341274a254f06fe9d79d (diff)
download	bugzilla-f47c0339e2c258c878e6284970d917dcd3960cba.tar.gz bugzilla-f47c0339e2c258c878e6284970d917dcd3960cba.tar.xz