From 67a47787fa12ff61ff80be0c79032bec71e3e63d Mon Sep 17 00:00:00 2001 From: kolaente Date: Mon, 23 Mar 2026 16:09:44 +0100 Subject: [PATCH] fix: filter related tasks by project access to prevent cross-project info disclosure --- pkg/models/tasks.go | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/pkg/models/tasks.go b/pkg/models/tasks.go index a555b3cce..e34079c42 100644 --- a/pkg/models/tasks.go +++ b/pkg/models/tasks.go @@ -511,7 +511,9 @@ func addRelatedTasksToTasks(s *xorm.Session, taskIDs []int64, taskMap map[int64] } fullRelatedTasks := make(map[int64]*Task) - err = s.In("id", relatedTaskIDs).Find(&fullRelatedTasks) + err = s.In("id", relatedTaskIDs). + And(accessibleProjectIDsSubquery(a, "`tasks`.`project_id`")). + Find(&fullRelatedTasks) if err != nil { return }