Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Prevent email about private note to unprivileged users
In email_collect_recipient(), the logic to exclude users who can't see bugnotes relied on comparing the issue's last updated timestamp with the bugnote's date. Since these dates are not necessarily equal as they are updated separately when a bugnote is added, this may result in a race condition causing a notification e-mail about a new private bugnote to be sent to users not authorized to see them. Since email_collect_recipient()'s $p_bugnote_id parameter is always null except for 'bugnote' notifications, the date check is not necessary; it is sufficient to check that $p_bugnote_id is not null. Fixes #22898
- Loading branch information