From 965aecf7174959b55686ffb847e97831d28b032b Mon Sep 17 00:00:00 2001
From: Max Kanat-Alexander <mkanat@bugzilla.org>
Date: Thu, 24 Jun 2010 10:07:37 -0700
Subject: [PATCH] Bug 309952: (CVE-2010-1204) [SECURITY] Protect boolean chart
 searches for time-tracking fields from being used by users who are not in the
 timetrackinggroup. r=LpSolit, a=mkanat

---
 Bugzilla/Search.pm | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/Bugzilla/Search.pm b/Bugzilla/Search.pm
index 8fda3dfbcf..9f13d0117b 100644
--- a/Bugzilla/Search.pm
+++ b/Bugzilla/Search.pm
@@ -802,6 +802,12 @@ sub init {
     %chartfields = @{$dbh->selectcol_arrayref(
         q{SELECT name, id FROM fielddefs}, { Columns=>[1,2] })};
 
+    if (!$user->is_timetracker) {
+        foreach my $tt_field (TIMETRACKING_FIELDS) {
+            delete $chartfields{$tt_field};
+        }
+    }
+
     $row = 0;
     for ($chart=-1 ;
          $chart < 0 || $params->param("field$chart-0-0") ;
-- 
2.47.2