From cda6e20b9ab268a042b51f9ef868849c1da62d98 Mon Sep 17 00:00:00 2001
From: "lpsolit%gmail.com" <>
Date: Thu, 23 Aug 2007 20:41:22 +0000
Subject: =?UTF-8?q?Bug=20382056:=20[SECURITY]=20Bugzilla::Webservice::Bug-?=
 =?UTF-8?q?>get=5Fbugs()=20doesn't=20check=20if=20the=20user=20is=20in=20t?=
 =?UTF-8?q?he=20timetracking=20group=20when=20returning=20data=20-=20Patch?=
 =?UTF-8?q?=20by=20Fr=C3=83=C2=A9d=C3=83=C2=A9ric=20Buclin=20<LpSolit@gmai?=
 =?UTF-8?q?l.com>=20r=3Dmkanat=20a=3DLpSolit?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 Bugzilla/WebService/Bug.pm | 7 +++++++
 1 file changed, 7 insertions(+)

(limited to 'Bugzilla/WebService')

diff --git a/Bugzilla/WebService/Bug.pm b/Bugzilla/WebService/Bug.pm
index a2710c482..14ed2e7fd 100755
--- a/Bugzilla/WebService/Bug.pm
+++ b/Bugzilla/WebService/Bug.pm
@@ -70,6 +70,13 @@ sub get_bugs {
         ValidateBugID($bug_id);
         my $bug = new Bugzilla::Bug($bug_id);
 
+        # Timetracking fields are deleted if the user doesn't belong to
+        # the corresponding group.
+        unless (Bugzilla->user->in_group(Bugzilla->params->{'timetrackinggroup'})) {
+            delete $bug->{'estimated_time'};
+            delete $bug->{'remaining_time'};
+            delete $bug->{'deadline'};
+        }
         # This is done in this fashion in order to produce a stable API.
         # The internals of Bugzilla::Bug are not stable enough to just
         # return them directly.
-- 
cgit v1.2.1