mirror of
https://codeberg.org/forgejo/forgejo.git
synced 2025-08-01 17:38:33 +00:00
d7e483fd52
**Backport:** https://codeberg.org/forgejo/forgejo/pulls/7143
- The security patch of forgejo/forgejo#6843 fixed the issue where project boards loaded all issues without considering if the doer actually had permission to view that issue. Within that patch the call to `Issues` was modified to include this permission checking.
- The query being generated was not entirely correct. Issues in public repositories weren't considered correctly (partly the fault of not setting `AllPublic` unconditionally) in the cause an authenticated user loaded the project.
- This is now fixed by setting `AllPublic` unconditionally and subsequently fixing the `Issue` function to ensure that the combination of setting `AllPublic` and `User` generates the correct query, by combining the permission check and issues in public repositories as one `AND` query.
- Added unit testing.
- Added integration testing.
- Resolves Codeberg/Community#1809
- Regression of https://codeberg.org/forgejo/forgejo/pulls/6843
(cherry picked from commit a2958f5a26)
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/7145
Reviewed-by: Otto <otto@codeberg.org>
Co-authored-by: Gusted <postmaster@gusted.xyz>
Co-committed-by: Gusted <postmaster@gusted.xyz>
23 lines
434 B
YAML
23 lines
434 B
YAML
-
|
|
id: 1001
|
|
title: Org project that contains private and public issues
|
|
owner_id: 3
|
|
repo_id: 0
|
|
is_closed: false
|
|
creator_id: 2
|
|
board_type: 1
|
|
type: 3
|
|
created_unix: 1738000000
|
|
updated_unix: 1738000000
|
|
|
|
-
|
|
id: 1002
|
|
title: User project that contains private and public issues
|
|
owner_id: 2
|
|
repo_id: 0
|
|
is_closed: false
|
|
creator_id: 2
|
|
board_type: 1
|
|
type: 1
|
|
created_unix: 1738000000
|
|
updated_unix: 1738000000
|