Cross project issue relations and user permissions
|Category:||Issues||Estimated time:||1.00 hour|
I have an odd use-case here. Administrator Alice enables cross-project issue relations, creates a private project and creates issue 1 (an issue User Bob can't see). Bob, who belongs to a public project, creates issue 2. Being the sneaky user that he is, he wants to see what tickets private trackers have. He adds an issue relation to issue 1 and sees the ticket subject. Oh noes!
Basically, cross-project issue relations aren't respecting user permissions to see the ticket (or its subject). The issue relation could be kept, for sure, just not displayed to that user.
I gather the fix is to restrict what issue relations show according the the viewing user's permissions, yeah?
Fixed: users should not be able to add relations with issues they're not allowed to view (#2589).
#1 Updated by Jean-Philippe Lang about 10 years ago
He adds an issue relation to issue 1 and sees the ticket subject. Oh noes!
This is fixed in r2323. Users are no longer able to add relation on tickets they're not allowed to view.
TODO: do not show a relation if the related issue can not be viewed.