Users mentions don't filter by viewing permissions #8303
Comments
|
I'm working on this issue but I'm stuck with how mentions are processed regarding organizations. If the commenter adds
If the commenter adds
My question is: it this by design? To avoid mass mailing? Since I'm rewriting these functions I need to know how to proceed with this. My options are:
Note: |
|
I would like to not do anything when added |
Sorry, @lunny , you mean
I'll be working with this in mind. Nonetheless, I'll check individual permissions for each user and ignore those with no access. |
|
@lunny and others, this is what I'm working on. Please let me know if this is what you have in mind: // ResolveMentionsByVisibility returns the users mentioned in an issue, removing those that
// don't have access to reading it. Teams are expanded into their users, but organizations are ignored.
func (issue *Issue) ResolveMentionsByVisibility(ctx DBContext, doer *User, mentions []string) (users[]*User, err error) {
if len(mentions) == 0 {
return
}
if err = issue.loadRepo(ctx.e); err != nil {
return
}
resolved := make(map[string]bool,len(mentions))
for _, name := range mentions {
name := strings.ToLower(name)
if _, ok := resolved[name]; ok {
continue
}
resolved[name] = false
}
if err := issue.Repo.getOwner(ctx.e); err != nil {
return nil, err
}
names := make([]string,0,len(resolved))
for name, _ := range resolved {
names = append(names, name)
}
if issue.Repo.Owner.IsOrganization() {
// Since there can be users with names that match the name of a team,
// if the team exists and can read the issue, the team takes precedence.
teams := make([]*Team,0,len(names))
if err := ctx.e.
Join("INNER", "team_repo", "team_repo.team_id = team.id").
Where("team_repo.repo_id=?", issue.Repo.ID).
In("team.lower_name", names).
Find(&teams);
err != nil {
return nil, fmt.Errorf("find mentioned teams: %v", err)
}
if len(teams) != 0 {
checked := make([]*Team,0,len(teams))
unittype := UnitTypeIssues
if issue.IsPull {
unittype = UnitTypePullRequests
}
for _, team := range teams {
if team.Authorize >= AccessModeOwner {
checked = append(checked, team)
resolved[team.LowerName] = true
continue
}
has, err := ctx.e.Get(&TeamUnit{OrgID: issue.Repo.Owner.ID, TeamID: team.ID, Type: unittype})
if err != nil {
return nil, fmt.Errorf("get team units (%d): %v", team.ID, err)
}
if has {
checked = append(checked, team)
resolved[team.LowerName] = true
}
}
if len(checked) != 0 {
ids := make([]int64,len(checked))
for i, _ := range checked {
ids[i] = checked[i].ID
}
if err := ctx.e.
Join("INNER", "team_user", "team_user.team_id = `user`.id").
Where("`user`.prohibit_login", false).
And("`user`.is_active", true).
In("`team_user`.team_id", ids).
Distinct().
Find(users); err != nil {
return nil, fmt.Errorf("get teams users: %v", err)
}
for _, user := range users {
resolved[user.LowerName] = true
}
}
}
// Remove names already in the list
names = make([]string,0,len(resolved))
for name, already := range resolved {
if !already {
names = append(names, name)
}
}
}
unchecked := make([]*User,0,len(names))
if err := ctx.e.
Where("`user`.prohibit_login", false).
And("`user`.is_active", true).
In("`user`.lower_name", names).
Find(&unchecked); err != nil {
return nil, fmt.Errorf("find mentioned users: %v", err)
}
for _, user := range unchecked {
if _, already := resolved[user.LowerName]; already || user.IsOrganization() {
continue
}
// Normal users must have read access to the referencing issue
perm, err := getUserRepoPermission(ctx.e, issue.Repo, user)
if err != nil {
return nil, fmt.Errorf("getUserRepoPermission [%d]: %v", user.ID, err)
}
if !perm.CanReadIssuesOrPulls(issue.IsPull) {
continue
}
users = append(users, user)
resolved[user.LowerName] = true
}
return
} |
Description
When a comment in an issue or PR mentions a user using
@username, the mentioned user receives a mail notification even if they don't have permission to see the originating repository.The text was updated successfully, but these errors were encountered: