Don't send email notices for a bug to which users have no access

Prior to this, users without viewer access to a bug could potentially receive email notifications for it. This could happen in case of permissions changes, or if an issue is moved to another project with different access rights. Added an access level check to exclude users who don't have at least VIEWER privilege to the bug. Fixes #14704
mantisbt · Sep 12, 2012 · 2cc83ca · 2cc83ca
1 parent b1a1bba
commit 2cc83ca
Showing 1 changed file with 7 additions and 6 deletions.
diff --git a/core/email_api.php b/core/email_api.php
@@ -383,12 +383,13 @@ function email_collect_recipients( $p_bug_id, $p_notify_type, $p_extra_user_ids_
 			}
 		}
 
-		# check that user can see bugnotes if the last update included a bugnote
-		if( $t_bug_date == $t_bugnote_date ) {
-			if( !access_has_bugnote_level( VIEWER, $t_bugnote_id, $t_id ) ) {
-				log_event( LOG_EMAIL_RECIPIENT, sprintf( 'Issue = #%d, drop @U%d (access level)', $p_bug_id, $t_id ) );
-				continue;
-			}
+		# exclude users who don't have at least viewer access to the bug,
+		# or who can't see bugnotes if the last update included a bugnote
+		if( !access_has_bug_level( VIEWER, $p_bug_id, $t_id )
+		 || $t_bug_date == $t_bugnote_date && !access_has_bugnote_level( VIEWER, $t_bugnote_id, $t_id )
+		) {
+			log_event( LOG_EMAIL_RECIPIENT, sprintf( 'Issue = #%d, drop @U%d (access level)', $p_bug_id, $t_id ) );
+			continue;
 		}
 
 		# check to exclude users as specified by plugins