Defect #12286
Emails of private notes are sent to watcher users regardless of viewing permissions
Status: | Closed | Start date: | ||
---|---|---|---|---|
Priority: | Normal | Due date: | ||
Assignee: | % Done: | 0% | ||
Category: | Email notifications | |||
Target version: | 2.2.0 | |||
Resolution: | Fixed | Affected version: |
Description
Mailer for both for issue_add and issue_edit doesn't take watchers' private notes viewing permissions in consideration when generating the cc list.
A possible solution would be to do the following:
recipients = journal.recipients
watchers = journal.journalized.watcher_users.active
watchers.reject! {|user| !journal.visible?(user)}
cc = watchers.collect(&:mail) - recipients
Being journal.visible? a new method on Journal:
def visible?(usr=User.current)
issue.visible?(usr) && (!private_notes? || usr.allowed_to?(:view_private_notes, project))
end
Related issues
Associated revisions
Fixed that watchers receive notifications for private comments without permission (#12286).
History
#1
Updated by Ricardo S over 10 years ago
The affected version is Redmine 2.1.2.devel.10772
The rails version is Rails 3.2.8
#2
Updated by Arjen van der Veen over 10 years ago
I tried the proposed solution and it works for me. Thank you!
#3
Updated by Daniel Felix over 10 years ago
Testet with revision 10781 and works for me.
#4
Updated by Ricardo S over 10 years ago
Daniel, make sure you do the following steps:
- Login as user U1
- Assign an user U2 as a watcher on a issue I of project P (user U2 must not have permission to view private notes on that project P)
- Write a private note on issue I
User U2 now receives a notification email when it shouldn't.
On r10781, neither Mailer nor ActsAsWatchable are fixed so you should still be able to reproduce it:
65| recipients = journal.recipient # Assigns author, assignee selecting those who can view private_notes
66| # Watchers in cc
67| cc = issue.watcher_recipients - recipients # watcher_recipients selects all the watchers that can view
# the issue without rejecting those who can't view private notes
Here's a correction on my solution (I forgot to filter the watchers like it is done on ActsAsWatchable):
recipients = journal.recipients
watchers = journal.journalized.watcher_users.active
watchers.reject! {|user| user.mail_notification == 'none' || !journal.visible?(user)}
cc = watchers.collect(&:mail).compact - recipients
#5
Updated by Daniel Felix over 10 years ago
Ricardo S wrote:
On r10781, neither Mailer nor ActsAsWatchable are fixed so you should still be able to reproduce it:
Hi Ricardo,
well I meaned that your patch worked for me. Sorry for the missleading note.
I've tried your patch in this revision and it worked for me (it fixes the descripted problem). ;-)
#6
Updated by Jean-Philippe Lang about 10 years ago
- Status changed from New to Confirmed
- Assignee set to Jean-Philippe Lang
#7
Updated by Jean-Philippe Lang about 10 years ago
- Target version set to 2.2.0
#8
Updated by Jean-Philippe Lang about 10 years ago
- Status changed from Confirmed to Closed
- Affected version (unused) set to devel
- Resolution set to Fixed
Fixed with test in r10789, thanks for pointing this out.