Issue#last_notes fallback does not respect notes visibility
|Assignee:||Marius BALTEANU||% Done:|
Issue#last_notes there is a fallback for the case that the
@last_notes instance variable has not been preloaded by
Issue.load_visible_last_notes. This fallback does not filter journals by visibility, leading to possible unwanted disclosure of notes marked 'private'. I don't think this is an issue in the current Redmine code base as the fallback is never hit (I think), but in plugins, it might be triggered.
The attached patch adds a
.visible to the scope used to find the relevant journal.
Issue#last_notes fallback does not respect notes visibility (#37155).
Patch by Jens Krämer.