Commit 3ff1cbe6 authored by Dave Lawrence's avatar Dave Lawrence

Bug 962060 - User.get ignores the "maxusermatches" parameter and allows listing all email addresses

r=LpSolit,a=justdave
parent 0446b5c7
...@@ -16,10 +16,10 @@ use Bugzilla::Constants; ...@@ -16,10 +16,10 @@ use Bugzilla::Constants;
use Bugzilla::Error; use Bugzilla::Error;
use Bugzilla::Group; use Bugzilla::Group;
use Bugzilla::User; use Bugzilla::User;
use Bugzilla::Util qw(trim); use Bugzilla::Util qw(trim detaint_natural);
use Bugzilla::WebService::Util qw(filter filter_wants validate translate params_to_objects); use Bugzilla::WebService::Util qw(filter filter_wants validate translate params_to_objects);
use List::Util qw(first); use List::Util qw(first min);
# Don't need auth to login # Don't need auth to login
use constant LOGIN_EXEMPT => { use constant LOGIN_EXEMPT => {
...@@ -209,12 +209,17 @@ sub get { ...@@ -209,12 +209,17 @@ sub get {
userid => $obj->id}); userid => $obj->id});
} }
} }
# User Matching # User Matching
my $limit; my $limit = Bugzilla->params->{maxusermatches};
if ($params->{'maxusermatches'}) { if ($params->{limit}) {
$limit = $params->{'maxusermatches'} + 1; detaint_natural($params->{limit})
|| ThrowCodeError('param_must_be_numeric',
{ function => 'Bugzilla::WebService::User::match',
param => 'limit' });
$limit = $limit ? min($params->{limit}, $limit) : $params->{limit};
} }
my $exclude_disabled = $params->{'include_disabled'} ? 0 : 1; my $exclude_disabled = $params->{'include_disabled'} ? 0 : 1;
foreach my $match_string (@{ $params->{'match'} || [] }) { foreach my $match_string (@{ $params->{'match'} || [] }) {
my $matched = Bugzilla::User::match($match_string, $limit, $exclude_disabled); my $matched = Bugzilla::User::match($match_string, $limit, $exclude_disabled);
...@@ -865,6 +870,13 @@ if they try. (This is to make it harder for spammers to harvest email ...@@ -865,6 +870,13 @@ if they try. (This is to make it harder for spammers to harvest email
addresses from Bugzilla, and also to enforce the user visibility addresses from Bugzilla, and also to enforce the user visibility
restrictions that are implemented on some Bugzillas.) restrictions that are implemented on some Bugzillas.)
=item C<limit> (int)
Limit the number of users matched by the C<match> parameter. If value
is greater than the system limit, the system limit will be used. This
parameter is only used when user matching using the C<match> parameter
is being performed.
=item C<group_ids> (array) =item C<group_ids> (array)
=item C<groups> (array) =item C<groups> (array)
...@@ -1009,6 +1021,10 @@ querying your own account, even if you are in the editusers group. ...@@ -1009,6 +1021,10 @@ querying your own account, even if you are in the editusers group.
You passed an invalid login name in the "names" array or a bad You passed an invalid login name in the "names" array or a bad
group ID in the C<group_ids> argument. group ID in the C<group_ids> argument.
=item 52 (Invalid Parameter)
The value used must be an integer greater than zero.
=item 304 (Authorization Required) =item 304 (Authorization Required)
You are logged in, but you are not authorized to see one of the users you You are logged in, but you are not authorized to see one of the users you
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment