From b9a6f756b438e9cb2af2625aadcf8a8f4c2ce5e8 Mon Sep 17 00:00:00 2001 From: Pierre-Yves Chibon Date: Mar 16 2015 11:33:21 +0000 Subject: Prevent users from seeing a private ticket unless user is an admin or the reporter --- diff --git a/progit/ui/issues.py b/progit/ui/issues.py index 2593850..fd79681 100644 --- a/progit/ui/issues.py +++ b/progit/ui/issues.py @@ -335,6 +335,11 @@ def view_issue(repo, issueid, username=None): if issue is None or issue.project != repo: flask.abort(404, 'Issue not found') + if issue.private and not is_repo_admin(repo) \ + and not issue.user.user == flask.g.fas_user.username: + flask.abort( + 403, 'This issue is private and you are not allowed to view it') + status = progit.lib.get_issue_statuses(SESSION) form = progit.forms.UpdateIssueForm(status=status)