Defect #12286
closed
Emails of private notes are sent to watcher users regardless of viewing permissions
0%
Description
Mailer for both for issue_add and issue_edit doesn't take watchers' private notes viewing permissions in consideration when generating the cc list.
A possible solution would be to do the following:
recipients = journal.recipients
watchers = journal.journalized.watcher_users.active
watchers.reject! {|user| !journal.visible?(user)}
cc = watchers.collect(&:mail) - recipients
Being journal.visible? a new method on Journal:
def visible?(usr=User.current)
issue.visible?(usr) && (!private_notes? || usr.allowed_to?(:view_private_notes, project))
end
Related issues
Updated by Ricardo S over 12 years ago
The affected version is Redmine 2.1.2.devel.10772
The rails version is Rails 3.2.8
Updated by Arjen van der Veen over 12 years ago
I tried the proposed solution and it works for me. Thank you!
Updated by Daniel Felix over 12 years ago
Testet with revision 10781 and works for me.
Updated by Ricardo S over 12 years ago
Daniel, make sure you do the following steps:
- Login as user U1
- Assign an user U2 as a watcher on a issue I of project P (user U2 must not have permission to view private notes on that project P)
- Write a private note on issue I
User U2 now receives a notification email when it shouldn't.
On r10781, neither Mailer nor ActsAsWatchable are fixed so you should still be able to reproduce it:
65| recipients = journal.recipient # Assigns author, assignee selecting those who can view private_notes
66| # Watchers in cc
67| cc = issue.watcher_recipients - recipients # watcher_recipients selects all the watchers that can view
# the issue without rejecting those who can't view private notes
Here's a correction on my solution (I forgot to filter the watchers like it is done on ActsAsWatchable):
recipients = journal.recipients
watchers = journal.journalized.watcher_users.active
watchers.reject! {|user| user.mail_notification == 'none' || !journal.visible?(user)}
cc = watchers.collect(&:mail).compact - recipients
Updated by Daniel Felix over 12 years ago
Ricardo S wrote:
On r10781, neither Mailer nor ActsAsWatchable are fixed so you should still be able to reproduce it:
Hi Ricardo,
well I meaned that your patch worked for me. Sorry for the missleading note.
I've tried your patch in this revision and it worked for me (it fixes the descripted problem). ;-)
Updated by Jean-Philippe Lang over 12 years ago
- Status changed from New to Confirmed
- Assignee set to Jean-Philippe Lang
Updated by Jean-Philippe Lang over 12 years ago
- Status changed from Confirmed to Closed
- Affected version (unused) set to devel
- Resolution set to Fixed
Fixed with test in r10789, thanks for pointing this out.