Closed PedroTeixido closed 1 year ago
I have done a patch to mitigate the impact and avoid showing names of other users to users without "view_watchers" permissions.
Here it goes: redmine_5.0.5.dmsf_3.0.6_view_watchers.patch
diff --git a/app/views/dmsf/_main.html.erb b/app/views/dmsf/_main.html.erb index d5a9024c..fdedb82c 100644 --- a/app/views/dmsf/_main.html.erb +++ b/app/views/dmsf/_main.html.erb @@ -95,7 +95,7 @@ <%= render partial: 'dmsf/sidebar' %>
<% project_or_folder = @folder? @folder : @project %>
-<% if @file.watchers.present? %> +<% if @file.watchers.present? && User.current.allowed_to?(:view_dmsf_file_watchers, @project) %> <% content_for :sidebar do %>
Can't you create a pull request into the devel branch?
Patched using provided patch. Thank you!
Thank you! :-)
When a user is assigned to a role that only have browse and view documents permissions, is still able to add, delete and see watchers. Tested in versions 3.0.6 and 3.1.1
Also, in version 3.1.1 (not in version 3.0.6), if this user is watching a folder, when an admin user tries to enter in this folder redmine crashes.
Redmine versión 5.0.5
fa-dc20ef2e6257)