From 05efc5cc95012761732f453211ccb18456fd8086 Mon Sep 17 00:00:00 2001
From: Dave Lawrence <dlawrence@mozilla.com>
Date: Thu, 2 Jan 2014 18:18:45 -0500
Subject: Bug 952284 - Tags set to private comments should not be disclosed to
 everybody in the bug activity table r=LpSolit,a=sgreen

---
 Bugzilla/Bug.pm | 11 +++++++++++
 1 file changed, 11 insertions(+)

(limited to 'Bugzilla/Bug.pm')

diff --git a/Bugzilla/Bug.pm b/Bugzilla/Bug.pm
index f0476c898..b4e8c361a 100644
--- a/Bugzilla/Bug.pm
+++ b/Bugzilla/Bug.pm
@@ -3872,6 +3872,15 @@ sub get_activity {
         && $include_comment_tags
         && !$attach_id)
     {
+        # Only includes comment tag activity for comments the user is allowed to see.
+        $suppjoins = "";
+        $suppwhere = "";
+        if (!Bugzilla->user->is_insider) {
+            $suppjoins = "INNER JOIN longdescs
+                          ON longdescs.comment_id = longdescs_tags_activity.comment_id";
+            $suppwhere = "AND longdescs.isprivate = 0";
+        }
+
         $query .= "
             UNION ALL
             SELECT 'comment_tag' AS name,
@@ -3883,8 +3892,10 @@ sub get_activity {
                    longdescs_tags_activity.comment_id as comment_id
               FROM longdescs_tags_activity
                    INNER JOIN profiles ON profiles.userid = longdescs_tags_activity.who
+                   $suppjoins
              WHERE longdescs_tags_activity.bug_id = ?
                    $datepart
+                   $suppwhere
         ";
         push @args, $self->id;
         push @args, $starttime if defined $starttime;
-- 
cgit v1.2.3-24-g4f1b