Project

General

Profile

Feature #13919 » 0003-Add-permission-check-before-sending-email.patch

Mizuki ISHIKAWA, 2020-04-16 04:47

View differences:

app/models/document.rb
63 63
  end
64 64

  
65 65
  def notified_users
66
    project.notified_users.reject {|user| !visible?(user)}
66
    project.notified_users.select {|user| user.allowed_to_view_notify_target?(self) }
67 67
  end
68 68

  
69 69
  private
app/models/issue.rb
1070 1070
    notified += project.users.preload(:preference).select(&:notify_about_high_priority_issues?) if priority.high?
1071 1071
    notified.uniq!
1072 1072
    # Remove users that can not view the issue
1073
    notified.reject! {|user| !visible?(user)}
1074
    notified
1073
    notified.select {|user| user.allowed_to_view_notify_target?(self)}
1075 1074
  end
1076 1075

  
1077 1076
  # Returns the email addresses that should be notified
app/models/journal.rb
146 146

  
147 147
  def notified_users
148 148
    notified = journalized.notified_users
149
    if private_notes?
150
      notified = notified.select {|user| user.allowed_to?(:view_private_notes, journalized.project)}
151
    end
152
    notified
149
    notified.select{ |u| u.allowed_to_view_notify_target?(self) }
153 150
  end
154 151

  
155 152
  def recipients
app/models/message.rb
114 114
  end
115 115

  
116 116
  def notified_users
117
    project.notified_users.reject {|user| !visible?(user)}
117
    project.notified_users.select {|user| user.allowed_to_view_notify_target?(self) }
118 118
  end
119 119

  
120 120
  private
app/models/news.rb
56 56
  end
57 57

  
58 58
  def notified_users
59
    project.users.select {|user| user.notify_about?(self) && user.allowed_to?(:view_news, project)}
59
    project.users.select {|user| user.notify_about?(self) && user.allowed_to_view_notify_target?(self)}
60 60
  end
61 61

  
62 62
  def recipients
app/models/user.rb
855 855
    project_ids.map(&:to_i)
856 856
  end
857 857

  
858
  # Return true if notify the mentioned user.
859
  def notify_mentioned_user?(object)
860
    self.active? &&
861
      self.mail.present? &&
862
      self.mail_notification.present? && self.mail_notification != 'none' &&
863
      self.allowed_to_view_notify_target?(object)
864
  end
865

  
866
  # Return true if the user is allowed to view the notify target.
867
  def allowed_to_view_notify_target?(object)
868
    case object
869
    when Journal
870
      self.allowed_to_view_notify_target?(object.journalized) &&
871
        (!object.private_notes? || self.allowed_to?(:view_private_notes, object.journalized.project))
872
    when Comment
873
      self.allowed_to_view_notify_target?(object.commented)
874
    when nil
875
      false
876
    else
877
      object.visible?(self)
878
    end
879
  end
880

  
858 881
  protected
859 882

  
860 883
  def validate_password_length
lib/redmine/acts/mentionable.rb
44 44

  
45 45
        def notified_mentions
46 46
          notified = mentioned_users.to_a
47
          notified.reject! {|user| user.mail.blank? || user.mail_notification == 'none'}
48
          notified
47
          notified.select{|user| user.notify_mentioned_user?(self) }
49 48
        end
50 49

  
51 50
        private
(9-9/12)