From 0d7037f0ae1539f34e447fdbe0fbe0818add88b5 Mon Sep 17 00:00:00 2001
From: Dylan William Hardison <dylan@mozilla.com>
Date: Wed, 20 Aug 2014 13:44:17 +0800
Subject: Bug 1050628: flag state API doesn't honour bug or attachment security

---
 extensions/Review/lib/WebService.pm | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

(limited to 'extensions/Review/lib')

diff --git a/extensions/Review/lib/WebService.pm b/extensions/Review/lib/WebService.pm
index f5530dd49..8d10b5423 100644
--- a/extensions/Review/lib/WebService.pm
+++ b/extensions/Review/lib/WebService.pm
@@ -118,10 +118,22 @@ sub flag_activity {
     }
 
     my $matches = Bugzilla::Extension::Review::FlagStateActivity->match(\%match_criteria);
-    my @results = map { $self->_flag_state_activity_to_hash($_, $params) } @$matches;
+    my $user    = Bugzilla->user;
+    $user->visible_bugs([ map { $_->bug_id } @$matches ]);
+    my @results = map  { $self->_flag_state_activity_to_hash($_, $params) }
+                  grep { $user->can_see_bug($_->bug_id) && _can_see_attachment($user, $_) }
+                  @$matches;
     return \@results;
 }
 
+sub _can_see_attachment {
+    my ($user, $flag_state_activity) = @_;
+
+    return 1 if !$flag_state_activity->attachment_id;
+    return 0 if $flag_state_activity->attachment->isprivate && !$user->is_insider;
+    return 1;
+}
+
 sub rest_resources {
     return [
         # bug-id
-- 
cgit v1.2.3-24-g4f1b