From: Dave Lawrence <dlawrence@mozilla.com>
Date: Tue, 25 Feb 2014 21:42:06 +0000 (+0000)
Subject: Bug 962060 - User.get ignores the "maxusermatches" parameter and allows listing all... 
X-Git-Tag: bugzilla-4.4.3~15
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=438c4b525bc0a2ff044e0495441f5bb714ded2d5;p=thirdparty%2Fbugzilla.git

Bug 962060 - User.get ignores the "maxusermatches" parameter and allows listing all email addresses
r=LpSolit,a=justdave
---

diff --git a/Bugzilla/WebService/User.pm b/Bugzilla/WebService/User.pm
index ba94c0e715..491b4cd63d 100644
--- a/Bugzilla/WebService/User.pm
+++ b/Bugzilla/WebService/User.pm
@@ -15,9 +15,11 @@ use Bugzilla::Constants;
 use Bugzilla::Error;
 use Bugzilla::Group;
 use Bugzilla::User;
-use Bugzilla::Util qw(trim);
+use Bugzilla::Util qw(trim detaint_natural);
 use Bugzilla::WebService::Util qw(filter validate translate params_to_objects);
 
+use List::Util qw(min);
+
 # Don't need auth to login
 use constant LOGIN_EXEMPT => {
     login => 1,
@@ -184,12 +186,17 @@ sub get {
                                             userid => $obj->id});
         }
     }
-    
+
     # User Matching
-    my $limit;
-    if ($params->{'maxusermatches'}) {
-        $limit = $params->{'maxusermatches'} + 1;
+    my $limit = Bugzilla->params->{maxusermatches};
+    if ($params->{limit}) {
+        detaint_natural($params->{limit})
+            || ThrowCodeError('param_must_be_numeric',
+                              { function => 'Bugzilla::WebService::User::match',
+                                param    => 'limit' });
+        $limit = $limit ? min($params->{limit}, $limit) : $params->{limit};
     }
+
     my $exclude_disabled = $params->{'include_disabled'} ? 0 : 1;
     foreach my $match_string (@{ $params->{'match'} || [] }) {
         my $matched = Bugzilla::User::match($match_string, $limit, $exclude_disabled);
@@ -200,7 +207,7 @@ sub get {
             }
         }
     }
-   
+
     my $in_group = $self->_filter_users_by_group(
         \@user_objects, $params);
 
@@ -741,6 +748,13 @@ if they try. (This is to make it harder for spammers to harvest email
 addresses from Bugzilla, and also to enforce the user visibility
 restrictions that are implemented on some Bugzillas.)
 
+=item C<limit> (int)
+
+Limit the number of users matched by the C<match> parameter. If value
+is greater than the system limit, the system limit will be used. This
+parameter is only used when user matching using the C<match> parameter
+is being performed.
+
 =item C<group_ids> (array)
 
 =item C<groups> (array)
@@ -885,6 +899,10 @@ querying your own account, even if you are in the editusers group.
 You passed an invalid login name in the "names" array or a bad
 group ID in the C<group_ids> argument.
 
+=item 52 (Invalid Parameter)
+
+The value used must be an integer greater then zero.
+
 =item 304 (Authorization Required)
 
 You are logged in, but you are not authorized to see one of the users you