Bugzilla->user->visible_bugs is the central place for checking bug visibility. duplicates.cgi does not use it. It probably should. It does create a Search object and use the SQL returned with the explicit purpose of getting security checking. One way of fixing bugs like this might be to "move" the positioning of the interface on the Search object so that it returns a set of Bug objects rather than an SQL string. Then, we could centralize any post-search visibility filtering inside Search.pm. No patch for this one yet, sorry. Gerv
This one will be handled by bug 514970.
Status: NEW → RESOLVED
Last Resolved: 9 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 514970
You need to log in before you can comment on or make changes to this bug.