From: Simon Green Date: Mon, 13 Apr 2015 20:25:23 +0000 (+0100) Subject: Bug 1151290: It is possible to tell if someone made a private comment on a bug even... X-Git-Tag: bugzilla-4.0.18~3 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=877ef5c42214b15dfc1cc482395f928b12d353c6;p=thirdparty%2Fbugzilla.git Bug 1151290: It is possible to tell if someone made a private comment on a bug even if you are not an 'insider' r=dkl,a=glob --- diff --git a/Bugzilla/Search.pm b/Bugzilla/Search.pm index 4b79377629..9e71a74de1 100644 --- a/Bugzilla/Search.pm +++ b/Bugzilla/Search.pm @@ -1597,12 +1597,18 @@ sub _long_desc_changedby { my %func_args = @_; my ($chartid, $supptables, $term, $v) = @func_args{qw(chartid supptables term v)}; - + my $table = "longdescs_$$chartid"; push(@$supptables, "LEFT JOIN longdescs AS $table " . "ON $table.bug_id = bugs.bug_id"); my $id = login_to_id($$v, THROW_ERROR); $$term = "$table.who = $id"; + + # If the user is not part of the insiders group, they cannot see + # private comments + if (!$self->{user}->is_insider) { + $$term .= " AND $table.isprivate = 0"; + } } sub _long_desc_changedbefore_after { @@ -1611,7 +1617,7 @@ sub _long_desc_changedbefore_after { my ($chartid, $t, $v, $supptables, $term) = @func_args{qw(chartid t v supptables term)}; my $dbh = Bugzilla->dbh; - + my $operator = ($$t =~ /before/) ? '<' : '>'; my $table = "longdescs_$$chartid"; push(@$supptables, "LEFT JOIN longdescs AS $table " . @@ -1619,6 +1625,12 @@ sub _long_desc_changedbefore_after { "AND $table.bug_when $operator " . $dbh->quote(SqlifyDate($$v)) ); $$term = "($table.bug_when IS NOT NULL)"; + + # If the user is not part of the insiders group, they cannot see + # private comments + if (!$self->{user}->is_insider) { + $$term .= " AND $table.isprivate = 0"; + } } sub _content_matches {