fix: filter related tasks by project access to prevent cross-project info disclosure
This commit is contained in:
parent
e2683bb2bc
commit
67a47787fa
|
|
@ -511,7 +511,9 @@ func addRelatedTasksToTasks(s *xorm.Session, taskIDs []int64, taskMap map[int64]
|
|||
}
|
||||
|
||||
fullRelatedTasks := make(map[int64]*Task)
|
||||
err = s.In("id", relatedTaskIDs).Find(&fullRelatedTasks)
|
||||
err = s.In("id", relatedTaskIDs).
|
||||
And(accessibleProjectIDsSubquery(a, "`tasks`.`project_id`")).
|
||||
Find(&fullRelatedTasks)
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in New Issue