[bugzilla-gnome-org-upstream/4.4] Bug 1151290: It is possible to tell if someone made a private comment on a bug even if you are not a

[Andrea Veri <av src gnome org>]

commit d445f63df2a2ce24523429130cbe62c4c084f8f0
Author: Simon Green <simon simongreen net>
Date:   Mon Apr 13 21:35:28 2015 +0100

    Bug 1151290: It is possible to tell if someone made a private comment on a bug even if you are not an 
'insider'
    r=dkl,a=glob

 Bugzilla/Search.pm |   10 ++++++++--
 1 files changed, 8 insertions(+), 2 deletions(-)
---
diff --git a/Bugzilla/Search.pm b/Bugzilla/Search.pm
index acf458e..d67df03 100644
--- a/Bugzilla/Search.pm
+++ b/Bugzilla/Search.pm
@@ -2401,11 +2401,17 @@ sub _user_nonchanged {
 sub _long_desc_changedby {
     my ($self, $args) = @_;
     my ($chart_id, $joins, $value) = @$args{qw(chart_id joins value)};
-    
+
     my $table = "longdescs_$chart_id";
     push(@$joins, { table => 'longdescs', as => $table });
     my $user_id = $self->_get_user_id($value);
     $args->{term} = "$table.who = $user_id";
+
+    # If the user is not part of the insiders group, they cannot see
+    # private comments
+    if (!$self->_user->is_insider) {
+        $args->{term} .= " AND $table.isprivate = 0";
+    }
 }
 
 sub _long_desc_changedbefore_after {
@@ -2413,7 +2419,7 @@ sub _long_desc_changedbefore_after {
     my ($chart_id, $operator, $value, $joins) =
         @$args{qw(chart_id operator value joins)};
     my $dbh = Bugzilla->dbh;
-    
+
     my $sql_operator = ($operator =~ /before/) ? '<=' : '>=';
     my $table = "longdescs_$chart_id";
     my $sql_date = $dbh->quote(SqlifyDate($value));