From 50ed7eef68c8ef8fb954606bb0a34d6d57c89d15 Mon Sep 17 00:00:00 2001 From: kolaente Date: Sat, 1 Apr 2023 21:41:18 +0200 Subject: [PATCH] feat: hide related tasks where the user does not have permission to view them --- pkg/models/tasks.go | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/pkg/models/tasks.go b/pkg/models/tasks.go index 7db8929bf..c0d83ff8a 100644 --- a/pkg/models/tasks.go +++ b/pkg/models/tasks.go @@ -691,6 +691,12 @@ func addRelatedTasksToTasks(s *xorm.Session, taskIDs []int64, taskMap map[int64] // NOTE: while it certainly be possible to run this function on fullRelatedTasks again, we don't do this for performance reasons. + type permissionCheck struct { + allowed bool + } + + canViewTask := make(map[int64]*permissionCheck) + // Go through all task relations and put them into the task objects for _, rt := range relatedTasks { _, has := fullRelatedTasks[rt.OtherTaskID] @@ -700,6 +706,21 @@ func addRelatedTasksToTasks(s *xorm.Session, taskIDs []int64, taskMap map[int64] } fullRelatedTasks[rt.OtherTaskID].IsFavorite = taskFavorites[rt.OtherTaskID] + _, has = canViewTask[rt.OtherTaskID] + if !has { + p := Project{ID: fullRelatedTasks[rt.OtherTaskID].ProjectID} + can, _, err := p.CanRead(s, a) + if err != nil { + return err + } + + canViewTask[rt.OtherTaskID] = &permissionCheck{allowed: can} + } + check := canViewTask[rt.OtherTaskID] + if !check.allowed { + continue + } + // We're duplicating the other task to avoid cycles as these can't be represented properly in json // and would thus fail with an error. otherTask := &Task{}