Mail handler bypasses add_issue_notes permission (#35045).

Patch by Marius BALTEANU. git-svn-id: http://svn.redmine.org/redmine/trunk@20970 e93f8b46-1217-0410-a6f0-8f06a7374b81
2026-01-31 19:47:14 +00:00 · 2021-04-25 13:02:13 +00:00 · 2021-04-25 13:02:13 +00:00 · cbd5f2ce8c
commit cbd5f2ce8c
parent d67ed93f39
2 changed files with 5 additions and 4 deletions
--- a/app/models/mail_handler.rb
+++ b/app/models/mail_handler.rb
@ -225,8 +225,7 @@ class MailHandler < ActionMailer::Base

    # check permission
    unless handler_options[:no_permission_check]
-      unless user.allowed_to?(:add_issue_notes, issue.project) ||
-               user.allowed_to?(:edit_issues, issue.project)
+      unless issue.notes_addable?
        raise UnauthorizedAction, "not allowed to add notes on issues to project [#{issue.project.name}]"
      end
    end
--- a/test/unit/mail_handler_test.rb
+++ b/test/unit/mail_handler_test.rb
@ -1051,9 +1051,11 @@ class MailHandlerTest < ActiveSupport::TestCase
    end
  end

-  def test_reply_to_a_issue_without_permission
+  def test_reply_to_an_issue_without_permission
    set_tmp_attachments_directory
-    Role.all.each {|r| r.remove_permission! :add_issue_notes, :edit_issues}
+    # "add_issue_notes" permission is explicit required to allow users to add notes
+    # "edit_issue" permission no longer includes the "add_issue_notes" permission
+    Role.all.each {|r| r.remove_permission! :add_issue_notes}
    assert_no_difference 'Issue.count' do
      assert_no_difference 'Journal.count' do
        assert_not submit_email('ticket_reply_with_status.eml')