Patch #37155
Issue#last_notes fallback does not respect notes visibility
Status: | Closed | Start date: | ||
---|---|---|---|---|
Priority: | Normal | Due date: | ||
Assignee: | % Done: | 0% | ||
Category: | Issues | |||
Target version: | 4.2.7 |
Description
In Issue#last_notes
there is a fallback for the case that the @last_notes
instance variable has not been preloaded by Issue.load_visible_last_notes
. This fallback does not filter journals by visibility, leading to possible unwanted disclosure of notes marked 'private'. I don't think this is an issue in the current Redmine code base as the fallback is never hit (I think), but in plugins, it might be triggered.
The attached patch adds a .visible
to the scope used to find the relevant journal.
Associated revisions
Issue#last_notes fallback does not respect notes visibility (#37155).
Patch by Jens Krämer.
History
#1
Updated by Go MAEDA about 1 month ago
- Target version set to 4.2.7
Setting the target version to 4.2.7.
#2
Updated by Marius BALTEANU about 1 month ago
- Status changed from New to Resolved
- Assignee set to Marius BALTEANU
Committed the fix, thanks!
#3
Updated by Marius BALTEANU about 1 month ago
- Status changed from Resolved to Closed