Actions
Patch #37155
closedIssue#last_notes fallback does not respect notes visibility
Start date:
Due date:
% Done:
0%
Estimated time:
Description
In Issue#last_notes
there is a fallback for the case that the @last_notes
instance variable has not been preloaded by Issue.load_visible_last_notes
. This fallback does not filter journals by visibility, leading to possible unwanted disclosure of notes marked 'private'. I don't think this is an issue in the current Redmine code base as the fallback is never hit (I think), but in plugins, it might be triggered.
The attached patch adds a .visible
to the scope used to find the relevant journal.
Files
Updated by Go MAEDA over 2 years ago
- Target version set to 4.2.7
Setting the target version to 4.2.7.
Updated by Marius BĂLTEANU over 2 years ago
- Status changed from New to Resolved
- Assignee set to Marius BĂLTEANU
Committed the fix, thanks!
Updated by Marius BĂLTEANU over 2 years ago
- Status changed from Resolved to Closed
Actions