Bug 382056: [SECURITY] Bugzilla::Webservice::Bug->get_bugs() doesn't check if the...

author lpsolit%gmail.com <>

Thu, 23 Aug 2007 20:42:53 +0000 (20:42 +0000)

committer lpsolit%gmail.com <>

Thu, 23 Aug 2007 20:42:53 +0000 (20:42 +0000)
author lpsolit%gmail.com <>
Thu, 23 Aug 2007 20:42:53 +0000 (20:42 +0000)
committer lpsolit%gmail.com <>
Thu, 23 Aug 2007 20:42:53 +0000 (20:42 +0000)
diff --git a/Bugzilla/WebService/Bug.pm b/Bugzilla/WebService/Bug.pm

index a2710c48240e759a628d0e310962563e3912656a..14ed2e7fddc7c1ca3fc34b50d71cb52e9418fe84 100755 (executable)
--- a/Bugzilla/WebService/Bug.pm
+++ b/Bugzilla/WebService/Bug.pm
@@ -70,6 +70,13 @@ sub get_bugs {
          ValidateBugID($bug_id);
          my $bug = new Bugzilla::Bug($bug_id);
  
+        # Timetracking fields are deleted if the user doesn't belong to
+        # the corresponding group.
+        unless (Bugzilla->user->in_group(Bugzilla->params->{'timetrackinggroup'})) {
+            delete $bug->{'estimated_time'};
+            delete $bug->{'remaining_time'};
+            delete $bug->{'deadline'};
+        }
          # This is done in this fashion in order to produce a stable API.
          # The internals of Bugzilla::Bug are not stable enough to just
          # return them directly.
author	lpsolit%gmail.com <>
	Thu, 23 Aug 2007 20:42:53 +0000 (20:42 +0000)
committer	lpsolit%gmail.com <>
	Thu, 23 Aug 2007 20:42:53 +0000 (20:42 +0000)