Fix for #1037 myTickets now honours permissions #1040

Merged
merged 1 commit into from Apr 5, 2016

Projects

None yet

2 participants

@paulsputer
Collaborator

Ticket search results are now only displayed if user has view rights to the repository.

This also corrects the handling of tickets that were created by, watched by, assigned to or mentions a user that no longer has view rights.

@paulsputer
Collaborator

@gitblit we may want to consider a minor release for this change as it fixes a potential information leak. What do you think?

@gitblit
Owner
gitblit commented Apr 5, 2016

I can spin up a release whenever you think it's needed, but based on what has merged into master I would probably bump it to 1.8.0.

@paulsputer
Collaborator

Ok thanks, in that case I'll get a few small changes sorted and list them in a 1.8.0 prep ticket

@paulsputer paulsputer merged commit 6ecf390 into master Apr 5, 2016
@paulsputer paulsputer deleted the 1037-EnforcePermissionsForTickets branch Apr 7, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment