Patch #37155

Issue#last_notes fallback does not respect notes visibility

Added by Jens Krämer about 1 month ago. Updated 28 days ago.

Status:ClosedStart date:
Priority:NormalDue date:
Assignee:Marius BALTEANU% Done:

0%

Category:Issues
Target version:4.2.7

Description

In Issue#last_notes there is a fallback for the case that the @last_notes instance variable has not been preloaded by Issue.load_visible_last_notes. This fallback does not filter journals by visibility, leading to possible unwanted disclosure of notes marked 'private'. I don't think this is an issue in the current Redmine code base as the fallback is never hit (I think), but in plugins, it might be triggered.

The attached patch adds a .visible to the scope used to find the relevant journal.

0001-makes-sure-Issue-last_notes-only-returns-note-text-o.patch Magnifier (752 Bytes) Jens Krämer, 2022-05-24 12:28

Associated revisions

Revision 21613
Added by Marius BALTEANU 29 days ago

Issue#last_notes fallback does not respect notes visibility (#37155).

Patch by Jens Krämer.

Revision 21620
Added by Marius BALTEANU 28 days ago

Merged r21613 to 5.0-stable (#37155).

Revision 21621
Added by Marius BALTEANU 28 days ago

Merged r21613 to 4.2-stable (#37155).

History

#1 Updated by Go MAEDA about 1 month ago

  • Target version set to 4.2.7

Setting the target version to 4.2.7.

#2 Updated by Marius BALTEANU 29 days ago

  • Status changed from New to Resolved
  • Assignee set to Marius BALTEANU

Committed the fix, thanks!

#3 Updated by Marius BALTEANU 28 days ago

  • Status changed from Resolved to Closed

Also available in: Atom PDF