fix(saved filters): check permissions when accessing tasks of a filter

2024-11-21 15:42:26 +01:00
parent 80219c34b9
commit bbbd936868
1 changed files with 8 additions and 0 deletions
--- a/pkg/models/task_collection.go
+++ b/pkg/models/task_collection.go
@@ -239,6 +239,14 @@ func (tf *TaskCollection) ReadAll(s *xorm.Session, a web.Auth, search string, pa
 			return nil, 0, 0, err
 		}

+		canRead, _, err := sf.CanRead(s, a)
+		if err != nil {
+			return nil, 0, 0, err
+		}
+		if !canRead {
+			return nil, 0, 0, ErrGenericForbidden{}
+		}
+
 		// By prepending sort options before the saved ones from the filter, we make sure the supplied sort
 		// options via query take precedence over the rest.