Skip to content
Permalink
Browse files Browse the repository at this point in the history
request #26729 Tracker report renderer and chart widgets leak informa…
…tion user cannot access

Tracker report renderer and chart widgets leak information user cannot access

Change-Id: Ibdd7d1b8e72dd44bbb2b747b7d8f264603f98024
  • Loading branch information
romainlorentz committed Apr 27, 2022
1 parent c975b38 commit 8e99e7c
Show file tree
Hide file tree
Showing 2 changed files with 3 additions and 7 deletions.
Expand Up @@ -252,7 +252,7 @@ public function getChart($renderer, $id, $store_in_session = true)
$report = null; //We don't know the report
$renderer = Tracker_Report_RendererFactory::instance()->getReportRendererById($chart_data['report_graphic_id'], $report, $store_in_session);
}
if ($renderer) {
if ($renderer && $renderer->getReport()->getTracker()->userCanView()) {
$c = $this->instanciateChart($chart_data, $renderer, $store_in_session);
}
}
Expand Down
Expand Up @@ -58,12 +58,8 @@ private function getRenderer(): ?Tracker_Report_Renderer
$store_in_session = false;
$arrf = Tracker_Report_RendererFactory::instance();
$renderer = $arrf->getReportRendererById($this->renderer_id, null, $store_in_session);
if ($renderer) {
$tracker = $renderer->report->getTracker();
$project = $tracker->getProject();
if ($tracker->isActive() && $project->isActive()) {
return $renderer;
}
if ($renderer && $renderer->report->getTracker()->userCanView()) {
return $renderer;
}
return null;
}
Expand Down

0 comments on commit 8e99e7c

Please sign in to comment.