Bug 382056: [SECURITY] Bugzilla::Webservice::Bug->get_bugs() doesn't check if…

Bug 382056: [SECURITY] Bugzilla::Webservice::Bug->get_bugs() doesn't check if the user is in the timetracking group when returning data - Patch by FrÃ©dÃ©ric Buclin <LpSolit@gmail.com> r=mkanat a=LpSolit

Bug 382056: [SECURITY] Bugzilla::Webservice::Bug->get_bugs() doesn't check if…
cda6e20b · lpsolit%gmail.com · 63e7d4ae · cda6e20b
Commit cda6e20b authored Aug 23, 2007 by lpsolit%gmail.com
Hide whitespace changes
Inline Side-by-side

Showing with 7 additions and 0 deletions

Bug.pm Bugzilla/WebService/Bug.pm +7 -0

No files found.
--- a/Bugzilla/WebService/Bug.pm
+++ b/Bugzilla/WebService/Bug.pm
@@ -70,6 +70,13 @@ sub get_bugs {
        ValidateBugID($bug_id);
        my $bug = new Bugzilla::Bug($bug_id);

+        # Timetracking fields are deleted if the user doesn't belong to
+        # the corresponding group.
+        unless (Bugzilla->user->in_group(Bugzilla->params->{'timetrackinggroup'})) {
+            delete $bug->{'estimated_time'};
+            delete $bug->{'remaining_time'};
+            delete $bug->{'deadline'};
+        }
        # This is done in this fashion in order to produce a stable API.
        # The internals of Bugzilla::Bug are not stable enough to just
        # return them directly.