-
Thomas Sibley authored
Check CurrentUserCanSee before trying to add an attachment since it could otherwise end up empty now that we have the correct current user. Additionally, simply check RT::Transaction's CurrentUserCanSee when iterating inside an RT::Attachments object rather than maintaining a different but similar conditional tree. CurrentUserCanSee correctly access checks transaction types like EmailRecord, for example. This resolves part of CVE-2011-2084.
5170d905