From: Dave Lawrence <dlawrence@mozilla.com>
Date: Thu, 2 Jan 2014 23:18:45 +0000 (-0500)
Subject: Bug 952284 - Tags set to private comments should not be disclosed to everybody in... 
X-Git-Tag: bugzilla-4.5.2~50
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=05efc5cc95012761732f453211ccb18456fd8086;p=thirdparty%2Fbugzilla.git

Bug 952284 - Tags set to private comments should not be disclosed to everybody in the bug activity table
r=LpSolit,a=sgreen
---

diff --git a/Bugzilla/Bug.pm b/Bugzilla/Bug.pm
index f0476c898c..b4e8c361a5 100644
--- a/Bugzilla/Bug.pm
+++ b/Bugzilla/Bug.pm
@@ -3872,6 +3872,15 @@ sub get_activity {
         && $include_comment_tags
         && !$attach_id)
     {
+        # Only includes comment tag activity for comments the user is allowed to see.
+        $suppjoins = "";
+        $suppwhere = "";
+        if (!Bugzilla->user->is_insider) {
+            $suppjoins = "INNER JOIN longdescs
+                          ON longdescs.comment_id = longdescs_tags_activity.comment_id";
+            $suppwhere = "AND longdescs.isprivate = 0";
+        }
+
         $query .= "
             UNION ALL
             SELECT 'comment_tag' AS name,
@@ -3883,8 +3892,10 @@ sub get_activity {
                    longdescs_tags_activity.comment_id as comment_id
               FROM longdescs_tags_activity
                    INNER JOIN profiles ON profiles.userid = longdescs_tags_activity.who
+                   $suppjoins
              WHERE longdescs_tags_activity.bug_id = ?
                    $datepart
+                   $suppwhere
         ";
         push @args, $self->id;
         push @args, $starttime if defined $starttime;