From: lpsolit%gmail.com <>
Date: Thu, 23 Aug 2007 20:42:53 +0000 (+0000)
Subject: Bug 382056: [SECURITY] Bugzilla::Webservice::Bug->get_bugs() doesn't check if the... 
X-Git-Tag: bugzilla-3.0.1~2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=3052fc63f260c68eda83c65f132a733e466eecf1;p=thirdparty%2Fbugzilla.git

Bug 382056: [SECURITY] Bugzilla::Webservice::Bug->get_bugs() doesn't check if the user is in the timetracking group when returning data - Patch by Frédéric Buclin <LpSolit@gmail.com> r=mkanat a=LpSolit
---

diff --git a/Bugzilla/WebService/Bug.pm b/Bugzilla/WebService/Bug.pm
index a2710c4824..14ed2e7fdd 100755
--- a/Bugzilla/WebService/Bug.pm
+++ b/Bugzilla/WebService/Bug.pm
@@ -70,6 +70,13 @@ sub get_bugs {
         ValidateBugID($bug_id);
         my $bug = new Bugzilla::Bug($bug_id);
 
+        # Timetracking fields are deleted if the user doesn't belong to
+        # the corresponding group.
+        unless (Bugzilla->user->in_group(Bugzilla->params->{'timetrackinggroup'})) {
+            delete $bug->{'estimated_time'};
+            delete $bug->{'remaining_time'};
+            delete $bug->{'deadline'};
+        }
         # This is done in this fashion in order to produce a stable API.
         # The internals of Bugzilla::Bug are not stable enough to just
         # return them directly.