From e10837476ae2d7d8653eba7d6de22fd98302eea1 Mon Sep 17 00:00:00 2001 From: kolaente Date: Mon, 28 Jul 2025 10:32:59 +0200 Subject: [PATCH] fix: subscription should only be visible for the user who subscribed (#1183) --- pkg/models/subscription.go | 2 +- pkg/models/subscription_test.go | 22 ++++++++++++++++++++++ 2 files changed, 23 insertions(+), 1 deletion(-) diff --git a/pkg/models/subscription.go b/pkg/models/subscription.go index dd6c6505d..fcce7529c 100644 --- a/pkg/models/subscription.go +++ b/pkg/models/subscription.go @@ -359,7 +359,7 @@ subscription_hierarchy AS ( ph.task_id FROM subscriptions s INNER JOIN project_hierarchy ph ON s.entity_id = ph.id - WHERE s.entity_type = ? + WHERE s.entity_type = ?`+sUserCond+` ) SELECT diff --git a/pkg/models/subscription_test.go b/pkg/models/subscription_test.go index b9fdbcd59..acfd63fac 100644 --- a/pkg/models/subscription_test.go +++ b/pkg/models/subscription_test.go @@ -341,3 +341,25 @@ func TestSubscriptionGet(t *testing.T) { assert.Equal(t, int64(9), sub.ID) }) } + +func TestSubscription_NoCrossUserProjectInheritance(t *testing.T) { + db.LoadAndAssertFixtures(t) + s := db.NewSession() + defer s.Close() + + user1 := &user.User{ID: 1} + user2 := &user.User{ID: 2} + + sb := &Subscription{ + Entity: "project", + EntityID: 3, + } + can, err := sb.CanCreate(s, user1) + require.NoError(t, err) + require.True(t, can) + require.NoError(t, sb.Create(s, user1)) + + sub, err := GetSubscriptionForUser(s, SubscriptionEntityTask, 32, user2) + require.NoError(t, err) + assert.Nil(t, sub) +}