diff options
author | lpsolit%gmail.com <> | 2006-10-15 06:04:55 +0200 |
---|---|---|
committer | lpsolit%gmail.com <> | 2006-10-15 06:04:55 +0200 |
commit | 79b572263ea0dfcc1638757057825c3e6a2ee38d (patch) | |
tree | 2d373b78667d1af5e6ba588f28143229dbb2da77 /template/en/default/attachment/list.html.tmpl | |
parent | b0ddda44bee03e94f04368dd68e8c0784de4a945 (diff) | |
download | bugzilla-79b572263ea0dfcc1638757057825c3e6a2ee38d.tar.gz bugzilla-79b572263ea0dfcc1638757057825c3e6a2ee38d.tar.xz |
Bug 346086: [SECURITY] attachment.cgi lets you view descriptions of private attachments even when you are not in the insidergroup - Patch by Frédéric Buclin <LpSolit@gmail.com> r=myk a=justdave
Diffstat (limited to 'template/en/default/attachment/list.html.tmpl')
-rw-r--r-- | template/en/default/attachment/list.html.tmpl | 3 |
1 files changed, 1 insertions, 2 deletions
diff --git a/template/en/default/attachment/list.html.tmpl b/template/en/default/attachment/list.html.tmpl index adb927e1a..a0445b16a 100644 --- a/template/en/default/attachment/list.html.tmpl +++ b/template/en/default/attachment/list.html.tmpl @@ -32,11 +32,10 @@ [% END %] <th bgcolor="#cccccc" align="left">Actions</th> </tr> - [% canseeprivate = !Param("insidergroup") || user.in_group(Param("insidergroup")) %] [% count = 0 %] [% FOREACH attachment = attachments %] [% count = count + 1 %] - [% IF !attachment.isprivate || canseeprivate %] + [% IF !attachment.isprivate || user.is_insider || attachment.attacher.id == user.id %] <tr [% "class=\"bz_private\"" IF attachment.isprivate %]> <td valign="top"> <a name="a[% count %]" href="attachment.cgi?id=[% attachment.id %]">[% attachment.description FILTER html FILTER obsolete(attachment.isobsolete) %]</a> |