feat: hide related tasks where the user does not have permission to view them

2023-04-01 21:41:18 +02:00 · 2023-04-01 21:41:18 +02:00 · 50ed7eef68
parent 9443fb1bd5
commit 50ed7eef68
1 changed files with 21 additions and 0 deletions
--- a/pkg/models/tasks.go
+++ b/pkg/models/tasks.go
@ -691,6 +691,12 @@ func addRelatedTasksToTasks(s *xorm.Session, taskIDs []int64, taskMap map[int64]

 	// NOTE: while it certainly be possible to run this function on	fullRelatedTasks again, we don't do this for performance reasons.

+	type permissionCheck struct {
+		allowed bool
+	}
+
+	canViewTask := make(map[int64]*permissionCheck)
+
 	// Go through all task relations and put them into the task objects
 	for _, rt := range relatedTasks {
 		_, has := fullRelatedTasks[rt.OtherTaskID]
@ -700,6 +706,21 @@ func addRelatedTasksToTasks(s *xorm.Session, taskIDs []int64, taskMap map[int64]
 		}
 		fullRelatedTasks[rt.OtherTaskID].IsFavorite = taskFavorites[rt.OtherTaskID]

+		_, has = canViewTask[rt.OtherTaskID]
+		if !has {
+			p := Project{ID: fullRelatedTasks[rt.OtherTaskID].ProjectID}
+			can, _, err := p.CanRead(s, a)
+			if err != nil {
+				return err
+			}
+
+			canViewTask[rt.OtherTaskID] = &permissionCheck{allowed: can}
+		}
+		check := canViewTask[rt.OtherTaskID]
+		if !check.allowed {
+			continue
+		}
+
 		// We're duplicating the other task to avoid cycles as these can't be represented properly in json
 		// and would thus fail with an error.
 		otherTask := &Task{}