From 6d4be44ecf30f5448ef567cf5d947f3edd97581a Mon Sep 17 00:00:00 2001
From: Max Kanat-Alexander <mkanat@bugzilla.org>
Date: Thu, 24 Jun 2010 10:10:36 -0700
Subject: [PATCH] Bug 309952: (CVE-2010-1204) [SECURITY] Protect boolean chart
 searches for time-tracking fields from being used by users who are not in the
 timetrackinggroup. r=LpSolit, a=mkanat

---
 Bugzilla/Search.pm | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/Bugzilla/Search.pm b/Bugzilla/Search.pm
index 499cc071f9..c489a9b7b6 100644
--- a/Bugzilla/Search.pm
+++ b/Bugzilla/Search.pm
@@ -638,6 +638,14 @@ sub init {
     %chartfields = @{$dbh->selectcol_arrayref(
         q{SELECT name, id FROM fielddefs}, { Columns=>[1,2] })};
 
+    if (!$user->in_group(Bugzilla->params->{'timetrackinggroup'})) {
+        foreach my $tt_field (qw(estimated_time remaining_time work_time
+                                 actual_time percentage_complete deadline)) 
+        {
+            delete $chartfields{$tt_field};
+        }
+    }
+
     $row = 0;
     for ($chart=-1 ;
          $chart < 0 || $params->param("field$chart-0-0") ;
-- 
2.47.3