From: Simon Green <simon@simongreen.net>
Date: Mon, 13 Apr 2015 20:29:33 +0000 (+0100)
Subject: Bug 1151290: It is possible to tell if someone made a private comment on a bug even... 
X-Git-Tag: bugzilla-4.2.14~5
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=feca0d8f1d5925630eda0c174dbe4d7c4b5b6648;p=thirdparty%2Fbugzilla.git

Bug 1151290: It is possible to tell if someone made a private comment on a bug even if you are not an 'insider'
r=dkl,a=glob
---

diff --git a/Bugzilla/Search.pm b/Bugzilla/Search.pm
index 8e419c0ee8..827f46a4a1 100644
--- a/Bugzilla/Search.pm
+++ b/Bugzilla/Search.pm
@@ -2306,11 +2306,17 @@ sub _user_nonchanged {
 sub _long_desc_changedby {
     my ($self, $args) = @_;
     my ($chart_id, $joins, $value) = @$args{qw(chart_id joins value)};
-    
+
     my $table = "longdescs_$chart_id";
     push(@$joins, { table => 'longdescs', as => $table });
     my $user_id = login_to_id($value, THROW_ERROR);
     $args->{term} = "$table.who = $user_id";
+
+    # If the user is not part of the insiders group, they cannot see
+    # private comments
+    if (!$self->_user->is_insider) {
+        $args->{term} .= " AND $table.isprivate = 0";
+    }
 }
 
 sub _long_desc_changedbefore_after {
@@ -2318,7 +2324,7 @@ sub _long_desc_changedbefore_after {
     my ($chart_id, $operator, $value, $joins) =
         @$args{qw(chart_id operator value joins)};
     my $dbh = Bugzilla->dbh;
-    
+
     my $sql_operator = ($operator =~ /before/) ? '<=' : '>=';
     my $table = "longdescs_$chart_id";
     my $sql_date = $dbh->quote(SqlifyDate($value));