Defect #12286

Emails of private notes are sent to watcher users regardless of viewing permissions

Added by Ricardo S about 5 years ago. Updated about 5 years ago.

Status:ClosedStart date:
Priority:NormalDue date:
Assignee:Jean-Philippe Lang% Done:

0%

Category:Email notifications
Target version:2.2.0
Resolution:Fixed Affected version:

Description

Mailer for both for issue_add and issue_edit doesn't take watchers' private notes viewing permissions in consideration when generating the cc list.

A possible solution would be to do the following:

  recipients = journal.recipients
  watchers = journal.journalized.watcher_users.active
  watchers.reject! {|user| !journal.visible?(user)}

  cc = watchers.collect(&:mail) - recipients

Being journal.visible? a new method on Journal:

  def visible?(usr=User.current)
    issue.visible?(usr) && (!private_notes? || usr.allowed_to?(:view_private_notes, project))
  end


Related issues

Related to Redmine - Feature #1554: Private comments in tickets Closed 2008-06-30

Associated revisions

Revision 10789
Added by Jean-Philippe Lang about 5 years ago

Fixed that watchers receive notifications for private comments without permission (#12286).

History

#1 Updated by Ricardo S about 5 years ago

The affected version is Redmine 2.1.2.devel.10772
The rails version is Rails 3.2.8

#2 Updated by Arjen van der Veen about 5 years ago

I tried the proposed solution and it works for me. Thank you!

#3 Updated by Daniel Felix about 5 years ago

Testet with revision 10781 and works for me.

#4 Updated by Ricardo S about 5 years ago

Daniel, make sure you do the following steps:

  1. Login as user U1
  2. Assign an user U2 as a watcher on a issue I of project P (user U2 must not have permission to view private notes on that project P)
  3. Write a private note on issue I

User U2 now receives a notification email when it shouldn't.

On r10781, neither Mailer nor ActsAsWatchable are fixed so you should still be able to reproduce it:

65| recipients = journal.recipient # Assigns author, assignee selecting those who can view private_notes
66| # Watchers in cc
67| cc = issue.watcher_recipients - recipients # watcher_recipients selects all the watchers that can view
                                               # the issue without rejecting those who can't view private notes

Here's a correction on my solution (I forgot to filter the watchers like it is done on ActsAsWatchable):

recipients = journal.recipients
watchers = journal.journalized.watcher_users.active
watchers.reject! {|user| user.mail_notification == 'none' || !journal.visible?(user)}

cc = watchers.collect(&:mail).compact - recipients

#5 Updated by Daniel Felix about 5 years ago

Ricardo S wrote:

On r10781, neither Mailer nor ActsAsWatchable are fixed so you should still be able to reproduce it:

Hi Ricardo,

well I meaned that your patch worked for me. Sorry for the missleading note.

I've tried your patch in this revision and it worked for me (it fixes the descripted problem). ;-)

#6 Updated by Jean-Philippe Lang about 5 years ago

  • Status changed from New to Confirmed
  • Assignee set to Jean-Philippe Lang

#7 Updated by Jean-Philippe Lang about 5 years ago

  • Target version set to 2.2.0

#8 Updated by Jean-Philippe Lang about 5 years ago

  • Status changed from Confirmed to Closed
  • Affected version (unused) set to devel
  • Resolution set to Fixed

Fixed with test in r10789, thanks for pointing this out.

Also available in: Atom PDF