From bbbd936868f73a73e37d0f40313274e9e0ba30ac Mon Sep 17 00:00:00 2001 From: kolaente Date: Thu, 21 Nov 2024 15:42:26 +0100 Subject: [PATCH] fix(saved filters): check permissions when accessing tasks of a filter --- pkg/models/task_collection.go | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/pkg/models/task_collection.go b/pkg/models/task_collection.go index c03e143e8..299096df5 100644 --- a/pkg/models/task_collection.go +++ b/pkg/models/task_collection.go @@ -239,6 +239,14 @@ func (tf *TaskCollection) ReadAll(s *xorm.Session, a web.Auth, search string, pa return nil, 0, 0, err } + canRead, _, err := sf.CanRead(s, a) + if err != nil { + return nil, 0, 0, err + } + if !canRead { + return nil, 0, 0, ErrGenericForbidden{} + } + // By prepending sort options before the saved ones from the filter, we make sure the supplied sort // options via query take precedence over the rest.