From 0c5df782782ed16d8bb795c7df1813f436f25fc7 Mon Sep 17 00:00:00 2001 From: Your Name Date: Thu, 16 Apr 2020 02:11:45 +0000 Subject: [PATCH 3/3] Add permission check before sending notification email --- app/models/document.rb | 2 +- app/models/issue.rb | 3 +-- app/models/journal.rb | 5 +---- app/models/message.rb | 2 +- app/models/news.rb | 2 +- app/models/user.rb | 23 +++++++++++++++++++++++ lib/redmine/acts/mentionable.rb | 3 +-- 7 files changed, 29 insertions(+), 11 deletions(-) diff --git a/app/models/document.rb b/app/models/document.rb index 98a557971..6f6a461fb 100644 --- a/app/models/document.rb +++ b/app/models/document.rb @@ -63,7 +63,7 @@ class Document < ActiveRecord::Base end def notified_users - project.notified_users.reject {|user| !visible?(user)} + project.notified_users.select {|user| user.allowed_to_view_notify_target?(self) } end private diff --git a/app/models/issue.rb b/app/models/issue.rb index fad34ddc8..88c9d93d0 100644 --- a/app/models/issue.rb +++ b/app/models/issue.rb @@ -1070,8 +1070,7 @@ class Issue < ActiveRecord::Base notified += project.users.preload(:preference).select(&:notify_about_high_priority_issues?) if priority.high? notified.uniq! # Remove users that can not view the issue - notified.reject! {|user| !visible?(user)} - notified + notified.select {|user| user.allowed_to_view_notify_target?(self)} end # Returns the email addresses that should be notified diff --git a/app/models/journal.rb b/app/models/journal.rb index fb6ba46bd..574926b6d 100644 --- a/app/models/journal.rb +++ b/app/models/journal.rb @@ -146,10 +146,7 @@ class Journal < ActiveRecord::Base def notified_users notified = journalized.notified_users - if private_notes? - notified = notified.select {|user| user.allowed_to?(:view_private_notes, journalized.project)} - end - notified + notified.select{ |u| u.allowed_to_view_notify_target?(self) } end def recipients diff --git a/app/models/message.rb b/app/models/message.rb index 8bf35dc97..d0f4894dc 100644 --- a/app/models/message.rb +++ b/app/models/message.rb @@ -114,7 +114,7 @@ class Message < ActiveRecord::Base end def notified_users - project.notified_users.reject {|user| !visible?(user)} + project.notified_users.select {|user| user.allowed_to_view_notify_target?(self) } end private diff --git a/app/models/news.rb b/app/models/news.rb index a96b60224..91dc4670f 100644 --- a/app/models/news.rb +++ b/app/models/news.rb @@ -56,7 +56,7 @@ class News < ActiveRecord::Base end def notified_users - project.users.select {|user| user.notify_about?(self) && user.allowed_to?(:view_news, project)} + project.users.select {|user| user.notify_about?(self) && user.allowed_to_view_notify_target?(self)} end def recipients diff --git a/app/models/user.rb b/app/models/user.rb index 9a073f1bd..5e297be6d 100644 --- a/app/models/user.rb +++ b/app/models/user.rb @@ -855,6 +855,29 @@ class User < Principal project_ids.map(&:to_i) end + # Return true if notify the mentioned user. + def notify_mentioned_user?(object) + self.active? && + self.mail.present? && + self.mail_notification.present? && self.mail_notification != 'none' && + self.allowed_to_view_notify_target?(object) + end + + # Return true if the user is allowed to view the notify target. + def allowed_to_view_notify_target?(object) + case object + when Journal + self.allowed_to_view_notify_target?(object.journalized) && + (!object.private_notes? || self.allowed_to?(:view_private_notes, object.journalized.project)) + when Comment + self.allowed_to_view_notify_target?(object.commented) + when nil + false + else + object.visible?(self) + end + end + protected def validate_password_length diff --git a/lib/redmine/acts/mentionable.rb b/lib/redmine/acts/mentionable.rb index 3c6c05c72..316bd65df 100644 --- a/lib/redmine/acts/mentionable.rb +++ b/lib/redmine/acts/mentionable.rb @@ -44,8 +44,7 @@ module Redmine def notified_mentions notified = mentioned_users.to_a - notified.reject! {|user| user.mail.blank? || user.mail_notification == 'none'} - notified + notified.select{|user| user.notify_mentioned_user?(self) } end private -- 2.11.0