diff --git a/pkg/models/subscription.go b/pkg/models/subscription.go index dd6c6505d..fcce7529c 100644 --- a/pkg/models/subscription.go +++ b/pkg/models/subscription.go @@ -359,7 +359,7 @@ subscription_hierarchy AS ( ph.task_id FROM subscriptions s INNER JOIN project_hierarchy ph ON s.entity_id = ph.id - WHERE s.entity_type = ? + WHERE s.entity_type = ?`+sUserCond+` ) SELECT diff --git a/pkg/models/subscription_test.go b/pkg/models/subscription_test.go index b9fdbcd59..acfd63fac 100644 --- a/pkg/models/subscription_test.go +++ b/pkg/models/subscription_test.go @@ -341,3 +341,25 @@ func TestSubscriptionGet(t *testing.T) { assert.Equal(t, int64(9), sub.ID) }) } + +func TestSubscription_NoCrossUserProjectInheritance(t *testing.T) { + db.LoadAndAssertFixtures(t) + s := db.NewSession() + defer s.Close() + + user1 := &user.User{ID: 1} + user2 := &user.User{ID: 2} + + sb := &Subscription{ + Entity: "project", + EntityID: 3, + } + can, err := sb.CanCreate(s, user1) + require.NoError(t, err) + require.True(t, can) + require.NoError(t, sb.Create(s, user1)) + + sub, err := GetSubscriptionForUser(s, SubscriptionEntityTask, 32, user2) + require.NoError(t, err) + assert.Nil(t, sub) +}