From 7c098954938807062a27d72f52d3f2a8dbd06bfd Mon Sep 17 00:00:00 2001 From: Frédéric Buclin Date: Fri, 3 Aug 2012 12:20:19 +0200 Subject: Bug 780028: Oracle crashes if a column listed in ORDER BY appears twice in SELECT r=glob a=LpSolit --- Bugzilla/Search.pm | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) (limited to 'Bugzilla/Search.pm') diff --git a/Bugzilla/Search.pm b/Bugzilla/Search.pm index da37a9638..9cab49ab8 100644 --- a/Bugzilla/Search.pm +++ b/Bugzilla/Search.pm @@ -824,10 +824,19 @@ sub _add_extra_column { # These are the columns that we're going to be actually SELECTing. sub _display_columns { my ($self) = @_; - # Do not alter the list specified here at all, even if they are duplicated. - # Those are passed by the caller, and the caller expects to get them back - # in the exact same order. - $self->{display_columns} ||= [$self->_input_columns, $self->_extra_columns]; + return @{ $self->{display_columns} } if $self->{display_columns}; + + # Do not alter the list from _input_columns at all, even if there are + # duplicated columns. Those are passed by the caller, and the caller + # expects to get them back in the exact same order. + my @columns = $self->_input_columns; + + # Only add columns which are not already listed. + my %list = map { $_ => 1 } @columns; + foreach my $column ($self->_extra_columns) { + push(@columns, $column) unless $list{$column}++; + } + $self->{display_columns} = \@columns; return @{ $self->{display_columns} }; } -- cgit v1.2.3-24-g4f1b From 7c35aa81182fe6213876233627964d5515344e6a Mon Sep 17 00:00:00 2001 From: SImon Green Date: Tue, 7 Aug 2012 12:59:38 +0800 Subject: Bug 779709: Don't allow searching on changes to private attachments or comments r=glob, a=LpSolit --- Bugzilla/Search.pm | 39 ++++++++++++++++++++++++++++++++++++--- 1 file changed, 36 insertions(+), 3 deletions(-) (limited to 'Bugzilla/Search.pm') diff --git a/Bugzilla/Search.pm b/Bugzilla/Search.pm index 9cab49ab8..9a5e888bc 100644 --- a/Bugzilla/Search.pm +++ b/Bugzilla/Search.pm @@ -2313,6 +2313,12 @@ sub _long_desc_changedbefore_after { }; push(@$joins, $join); $args->{term} = "$table.bug_when IS NOT NULL"; + + # If the user is not part of the insiders group, they cannot see + # private comments + if (!$self->_user->is_insider) { + $args->{term} .= " AND $table.isprivate = 0"; + } } sub _content_matches { @@ -2795,8 +2801,10 @@ sub _changedbefore_changedafter { extra => ["$table.fieldid = $field_id", "$table.bug_when $sql_operator $sql_date"], }; - push(@$joins, $join); + $args->{term} = "$table.bug_when IS NOT NULL"; + $self->_changed_security_check($args, $join); + push(@$joins, $join); } sub _changedfrom_changedto { @@ -2815,9 +2823,10 @@ sub _changedfrom_changedto { extra => ["$table.fieldid = $field_id", "$table.$column = $quoted"], }; - push(@$joins, $join); $args->{term} = "$table.bug_when IS NOT NULL"; + $self->_changed_security_check($args, $join); + push(@$joins, $join); } sub _changedby { @@ -2836,8 +2845,32 @@ sub _changedby { extra => ["$table.fieldid = $field_id", "$table.who = $user_id"], }; - push(@$joins, $join); + $args->{term} = "$table.bug_when IS NOT NULL"; + $self->_changed_security_check($args, $join); + push(@$joins, $join); +} + +sub _changed_security_check { + my ($self, $args, $join) = @_; + my ($chart_id, $field) = @$args{qw(chart_id field)}; + + my $field_object = $self->_chart_fields->{$field} + || ThrowCodeError("invalid_field_name", { field => $field }); + my $field_id = $field_object->id; + + # If the user is not part of the insiders group, they cannot see + # changes to attachments (including attachment flags) that are private + if ($field =~ /^(?:flagtypes\.name$|attach)/ and !$self->_user->is_insider) { + $join->{then_to} = { + as => "attach_${field_id}_$chart_id", + table => 'attachments', + from => "act_${field_id}_$chart_id.attach_id", + to => 'attach_id', + }; + + $args->{term} .= " AND COALESCE(attach_${field_id}_$chart_id.isprivate, 0) = 0"; + } } ###################### -- cgit v1.2.3-24-g4f1b