Commit 438c4b52 authored by Dave Lawrence's avatar Dave Lawrence

Bug 962060 - User.get ignores the "maxusermatches" parameter and allows listing all email addresses

r=LpSolit,a=justdave
parent 079bc035
......@@ -15,9 +15,11 @@ use Bugzilla::Constants;
use Bugzilla::Error;
use Bugzilla::Group;
use Bugzilla::User;
use Bugzilla::Util qw(trim);
use Bugzilla::Util qw(trim detaint_natural);
use Bugzilla::WebService::Util qw(filter validate translate params_to_objects);
use List::Util qw(min);
# Don't need auth to login
use constant LOGIN_EXEMPT => {
login => 1,
......@@ -184,12 +186,17 @@ sub get {
userid => $obj->id});
}
}
# User Matching
my $limit;
if ($params->{'maxusermatches'}) {
$limit = $params->{'maxusermatches'} + 1;
my $limit = Bugzilla->params->{maxusermatches};
if ($params->{limit}) {
detaint_natural($params->{limit})
|| ThrowCodeError('param_must_be_numeric',
{ function => 'Bugzilla::WebService::User::match',
param => 'limit' });
$limit = $limit ? min($params->{limit}, $limit) : $params->{limit};
}
my $exclude_disabled = $params->{'include_disabled'} ? 0 : 1;
foreach my $match_string (@{ $params->{'match'} || [] }) {
my $matched = Bugzilla::User::match($match_string, $limit, $exclude_disabled);
......@@ -200,7 +207,7 @@ sub get {
}
}
}
my $in_group = $self->_filter_users_by_group(
\@user_objects, $params);
......@@ -741,6 +748,13 @@ if they try. (This is to make it harder for spammers to harvest email
addresses from Bugzilla, and also to enforce the user visibility
restrictions that are implemented on some Bugzillas.)
=item C<limit> (int)
Limit the number of users matched by the C<match> parameter. If value
is greater than the system limit, the system limit will be used. This
parameter is only used when user matching using the C<match> parameter
is being performed.
=item C<group_ids> (array)
=item C<groups> (array)
......@@ -885,6 +899,10 @@ querying your own account, even if you are in the editusers group.
You passed an invalid login name in the "names" array or a bad
group ID in the C<group_ids> argument.
=item 52 (Invalid Parameter)
The value used must be an integer greater then zero.
=item 304 (Authorization Required)
You are logged in, but you are not authorized to see one of the users you
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment