Project

General

Profile

Actions
Copy link

Patch #37155

closed

Issue#last_notes fallback does not respect notes visibility

Added by Jens Krämer about 3 years ago. Updated about 3 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Marius BĂLTEANU
Category:
Issues
Target version:
4.2.7
Start date:
Due date:
% Done:

0%

Estimated time:

Description

In Issue#last_notes there is a fallback for the case that the @last_notes instance variable has not been preloaded by Issue.load_visible_last_notes. This fallback does not filter journals by visibility, leading to possible unwanted disclosure of notes marked 'private'. I don't think this is an issue in the current Redmine code base as the fallback is never hit (I think), but in plugins, it might be triggered.

The attached patch adds a .visible to the scope used to find the relevant journal.

Files

0001-makes-sure-Issue-last_notes-only-returns-note-text-o.patch (752 Bytes) 0001-makes-sure-Issue-last_notes-only-returns-note-text-o.patch Jens Krämer, 2022-05-24 12:28
Actions
Copy link
 #1

Updated by Go MAEDA about 3 years ago

  • Target version set to 4.2.7

Setting the target version to 4.2.7.

Actions
Copy link
 #2

Updated by Marius BĂLTEANU about 3 years ago

  • Status changed from New to Resolved
  • Assignee set to Marius BĂLTEANU

Committed the fix, thanks!

Actions
Copy link
 #3

Updated by Marius BĂLTEANU about 3 years ago

  • Status changed from Resolved to Closed
Actions
Copy link

Also available in: Atom PDF