diff options
-rw-r--r-- | Bugzilla/Search.pm | 6 | ||||
-rwxr-xr-x | buglist.cgi | 13 |
2 files changed, 12 insertions, 7 deletions
diff --git a/Bugzilla/Search.pm b/Bugzilla/Search.pm index 6ab781767..e42952347 100644 --- a/Bugzilla/Search.pm +++ b/Bugzilla/Search.pm @@ -802,8 +802,8 @@ sub _param_array { } sub _params { $_[0]->{params} } - sub _user { return $_[0]->{user} } +sub _sharer_id { $_[0]->{sharer} } ############################## # Internal Accessors: SELECT # @@ -2546,8 +2546,8 @@ sub _multiselect_table { } elsif ($field eq 'tag') { $args->{full_field} = 'tag.name'; - return "bug_tag INNER JOIN tag ON bug_tag.tag_id = tag.id" - . " AND user_id = " . $self->_user->id; + return "bug_tag INNER JOIN tag ON bug_tag.tag_id = tag.id AND user_id = " + . ($self->_sharer_id || $self->_user->id); } elsif ($field eq 'bug_group') { $args->{full_field} = 'groups.name'; diff --git a/buglist.cgi b/buglist.cgi index 3e7aadf2c..79bf94381 100755 --- a/buglist.cgi +++ b/buglist.cgi @@ -211,7 +211,9 @@ sub LookupNamedQuery { $query->url || ThrowUserError("buglist_parameters_required"); - return wantarray ? ($query->url, $query->id) : $query->url; + # Detaint $sharer_id. + $sharer_id = $query->user->id if $sharer_id; + return wantarray ? ($query->url, $query->id, $sharer_id) : $query->url; } # Inserts a Named Query (a "Saved Search") into the database, or @@ -330,6 +332,7 @@ sub _close_standby_message { my $cmdtype = $cgi->param('cmdtype') || ''; my $remaction = $cgi->param('remaction') || ''; +my $sharer_id; # Backwards-compatibility - the old interface had cmdtype="runnamed" to run # a named command, and we can't break this because it's in bookmarks. @@ -366,8 +369,9 @@ $filename =~ s/"/\\"/g; # escape quotes if ($cmdtype eq "dorem") { if ($remaction eq "run") { my $query_id; - ($buffer, $query_id) = LookupNamedQuery(scalar $cgi->param("namedcmd"), - scalar $cgi->param('sharer_id')); + ($buffer, $query_id, $sharer_id) = + LookupNamedQuery(scalar $cgi->param("namedcmd"), + scalar $cgi->param('sharer_id')); # If this is the user's own query, remember information about it # so that it can be modified easily. $vars->{'searchname'} = $cgi->param('namedcmd'); @@ -727,7 +731,8 @@ if ($format->{'extension'} eq 'html' && !defined $params->param('limit')) { # Generate the basic SQL query that will be used to generate the bug list. my $search = new Bugzilla::Search('fields' => \@selectcolumns, 'params' => scalar $params->Vars, - 'order' => \@order_columns); + 'order' => \@order_columns, + 'sharer' => $sharer_id); my $query = $search->sql; $vars->{'search_description'} = $search->search_description; $order = join(',', $search->order); |