Bug 309952: (CVE-2010-1204) [SECURITY] Protect boolean chart searches for

time-tracking fields from being used by users who are not in the
timetrackinggroup.
r=LpSolit, a=mkanat

diff --git a/Bugzilla/Search.pm b/Bugzilla/Search.pm
index 499cc071f9d0ae542582c9e6c479add828bd974d..c489a9b7b693bfdbe9f71d6dfde707acb3cf65df 100644 (file)
--- a/Bugzilla/Search.pm
+++ b/Bugzilla/Search.pm
@@ -638,6 +638,14 @@ sub init {
     %chartfields = @{$dbh->selectcol_arrayref(
         q{SELECT name, id FROM fielddefs}, { Columns=>[1,2] })};
 
+    if (!$user->in_group(Bugzilla->params->{'timetrackinggroup'})) {
+        foreach my $tt_field (qw(estimated_time remaining_time work_time
+                                 actual_time percentage_complete deadline)) 
+        {
+            delete $chartfields{$tt_field};
+        }
+    }
+
     $row = 0;
     for ($chart=-1 ;
          $chart < 0 || $params->param("field$chart-0-0") ;