fix: subscription should only be visible for the user who subscribed (#1183)
This commit is contained in:
parent
e4c9615177
commit
e10837476a
|
|
@ -359,7 +359,7 @@ subscription_hierarchy AS (
|
|||
ph.task_id
|
||||
FROM subscriptions s
|
||||
INNER JOIN project_hierarchy ph ON s.entity_id = ph.id
|
||||
WHERE s.entity_type = ?
|
||||
WHERE s.entity_type = ?`+sUserCond+`
|
||||
)
|
||||
|
||||
SELECT
|
||||
|
|
|
|||
|
|
@ -341,3 +341,25 @@ func TestSubscriptionGet(t *testing.T) {
|
|||
assert.Equal(t, int64(9), sub.ID)
|
||||
})
|
||||
}
|
||||
|
||||
func TestSubscription_NoCrossUserProjectInheritance(t *testing.T) {
|
||||
db.LoadAndAssertFixtures(t)
|
||||
s := db.NewSession()
|
||||
defer s.Close()
|
||||
|
||||
user1 := &user.User{ID: 1}
|
||||
user2 := &user.User{ID: 2}
|
||||
|
||||
sb := &Subscription{
|
||||
Entity: "project",
|
||||
EntityID: 3,
|
||||
}
|
||||
can, err := sb.CanCreate(s, user1)
|
||||
require.NoError(t, err)
|
||||
require.True(t, can)
|
||||
require.NoError(t, sb.Create(s, user1))
|
||||
|
||||
sub, err := GetSubscriptionForUser(s, SubscriptionEntityTask, 32, user2)
|
||||
require.NoError(t, err)
|
||||
assert.Nil(t, sub)
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in New Issue