From a0d05211ff2de25fe6729dacb1a49150a6d3a714 Mon Sep 17 00:00:00 2001 From: kolaente Date: Thu, 21 Nov 2024 15:42:26 +0100 Subject: [PATCH] fix(saved filters): check permissions when accessing tasks of a filter (cherry picked from commit bbbd936868f73a73e37d0f40313274e9e0ba30ac) --- pkg/models/task_collection.go | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/pkg/models/task_collection.go b/pkg/models/task_collection.go index bfa6bf960..31f05132e 100644 --- a/pkg/models/task_collection.go +++ b/pkg/models/task_collection.go @@ -233,6 +233,14 @@ func (tf *TaskCollection) ReadAll(s *xorm.Session, a web.Auth, search string, pa return nil, 0, 0, err } + canRead, _, err := sf.CanRead(s, a) + if err != nil { + return nil, 0, 0, err + } + if !canRead { + return nil, 0, 0, ErrGenericForbidden{} + } + // By prepending sort options before the saved ones from the filter, we make sure the supplied sort // options via query take precedence over the rest.