PedroTeixido
commented
1 year ago I have done a patch to mitigate the impact and avoid showing names of other users to users without "view_watchers" permissions.
Here it goes: redmine_5.0.5.dmsf_3.0.6_view_watchers.patch
diff --git a/app/views/dmsf/_main.html.erb b/app/views/dmsf/_main.html.erb index d5a9024c..fdedb82c 100644 --- a/app/views/dmsf/_main.html.erb +++ b/app/views/dmsf/_main.html.erb @@ -95,7 +95,7 @@ <%= render partial: 'dmsf/sidebar' %>
<% project_or_folder = @folder? @folder : @project %>
- <% if project_or_folder&.watchers.present? %>
- <% if project_or_folder&.watchers.present? && User.current.allowed_to?(:view_dmsf_folder_watchers, @project) %>
<% if @folder %> <%= render partial: 'watchers/watchers', locals: { watched: @folder } %> diff --git a/app/views/dmsf_files/show.html.erb b/app/views/dmsf_files/show.html.erb index 04607bdb..3e3e75f3 100644 --- a/app/views/dmsf_files/show.html.erb +++ b/app/views/dmsf_files/show.html.erb @@ -171,7 +171,7 @@ <% end %> <%= pagination_links_full @revision_pages, @revision_count %>
-<% if @file.watchers.present? %> +<% if @file.watchers.present? && User.current.allowed_to?(:view_dmsf_file_watchers, @project) %> <% content_for :sidebar do %>
<%= render partial: 'watchers/watchers', locals: { watched: @file } %>picman commented 1 year ago
Can't you create a pull request into the devel branch?
Patched using provided patch. Thank you!
Thank you! :-)
When a user is assigned to a role that only have browse and view documents permissions, is still able to add, delete and see watchers. Tested in versions 3.0.6 and 3.1.1
Also, in version 3.1.1 (not in version 3.0.6), if this user is watching a folder, when an admin user tries to enter in this folder redmine crashes.
Redmine versión 5.0.5