fix: filter related tasks by project access to prevent cross-project info disclosure

This commit is contained in:
kolaente 2026-03-23 16:09:44 +01:00 committed by kolaente
parent e2683bb2bc
commit 67a47787fa
1 changed files with 3 additions and 1 deletions

View File

@ -511,7 +511,9 @@ func addRelatedTasksToTasks(s *xorm.Session, taskIDs []int64, taskMap map[int64]
}
fullRelatedTasks := make(map[int64]*Task)
err = s.In("id", relatedTaskIDs).Find(&fullRelatedTasks)
err = s.In("id", relatedTaskIDs).
And(accessibleProjectIDsSubquery(a, "`tasks`.`project_id`")).
Find(&fullRelatedTasks)
if err != nil {
return
}