Vote #72771
完了Emails of private notes are sent to watcher users regardless of viewing permissions
0%
説明
Mailer for both for issue_add and issue_edit doesn't take watchers' private notes viewing permissions in consideration when generating the cc list.
A possible solution would be to do the following:
recipients = journal.recipients
watchers = journal.journalized.watcher_users.active
watchers.reject! {|user| !journal.visible?(user)}
cc = watchers.collect(&:mail) - recipients
Being journal.visible? a new method on Journal:
def visible?(usr=User.current)
issue.visible?(usr) && (!private_notes? || usr.allowed_to?(:view_private_notes, project))
end
journals
The affected version is *Redmine 2.1.2.devel.10772*
The rails version is *Rails 3.2.8*
--------------------------------------------------------------------------------
I tried the proposed solution and it works for me. Thank you!
--------------------------------------------------------------------------------
Testet with revision 10781 and works for me.
--------------------------------------------------------------------------------
Daniel, make sure you do the following steps:
# Login as user *U1*
# Assign an user *U2* as a watcher on a issue *I* of project *P* (user *U2* must not have permission to view private notes on that project *P*)
# Write a private note on issue *I*
User *U2* now receives a notification email when it shouldn't.
On r10781, neither *Mailer* nor *ActsAsWatchable* are fixed so you should still be able to reproduce it:
<pre><code class="ruby">
65| recipients = journal.recipient # Assigns author, assignee selecting those who can view private_notes
66| # Watchers in cc
67| cc = issue.watcher_recipients - recipients # watcher_recipients selects all the watchers that can view
# the issue without rejecting those who can't view private notes
</code></pre>
Here's a correction on my solution (I forgot to filter the watchers like it is done on ActsAsWatchable):
<pre><code class="ruby">
recipients = journal.recipients
watchers = journal.journalized.watcher_users.active
watchers.reject! {|user| user.mail_notification == 'none' || !journal.visible?(user)}
cc = watchers.collect(&:mail).compact - recipients
</code></pre>
--------------------------------------------------------------------------------
Ricardo S wrote:
> On r10781, neither *Mailer* nor *ActsAsWatchable* are fixed so you should still be able to reproduce it:
Hi Ricardo,
well I meaned that your patch worked for me. Sorry for the missleading note.
I've tried your patch in this revision and it worked for me (it fixes the descripted problem). ;-)
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
Fixed with test in r10789, thanks for pointing this out.
--------------------------------------------------------------------------------
related_issues
relates,Closed,1554,Private comments in tickets