From 79b572263ea0dfcc1638757057825c3e6a2ee38d Mon Sep 17 00:00:00 2001
From: "lpsolit%gmail.com" <>
Date: Sun, 15 Oct 2006 04:04:55 +0000
Subject: =?UTF-8?q?Bug=20346086:=20[SECURITY]=20attachment.cgi=20lets=20yo?=
 =?UTF-8?q?u=20view=20descriptions=20of=20private=20attachments=20even=20w?=
 =?UTF-8?q?hen=20you=20are=20not=20in=20the=20insidergroup=20-=20Patch=20b?=
 =?UTF-8?q?y=20Fr=C3=A9d=C3=A9ric=20Buclin=20<LpSolit@gmail.com>=20r=3Dmyk?=
 =?UTF-8?q?=20a=3Djustdave?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 template/en/default/attachment/list.html.tmpl | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

(limited to 'template/en/default/attachment/list.html.tmpl')

diff --git a/template/en/default/attachment/list.html.tmpl b/template/en/default/attachment/list.html.tmpl
index adb927e1a..a0445b16a 100644
--- a/template/en/default/attachment/list.html.tmpl
+++ b/template/en/default/attachment/list.html.tmpl
@@ -32,11 +32,10 @@
     [% END %]
     <th bgcolor="#cccccc" align="left">Actions</th>
   </tr>
-  [% canseeprivate = !Param("insidergroup") || user.in_group(Param("insidergroup")) %]
   [% count = 0 %]
   [% FOREACH attachment = attachments %]
     [% count = count + 1 %]
-    [% IF !attachment.isprivate || canseeprivate %]
+    [% IF !attachment.isprivate || user.is_insider || attachment.attacher.id == user.id %]
       <tr [% "class=\"bz_private\"" IF attachment.isprivate %]>
         <td valign="top">
           <a name="a[% count %]" href="attachment.cgi?id=[% attachment.id %]">[% attachment.description FILTER html FILTER obsolete(attachment.isobsolete) %]</a>
-- 
cgit v1.2.1