MantisBT: master ad42c3ca

Author Committer Branch Timestamp Parent
dregad dregad master 2019-08-10 17:21:41 master 380fc710
Affected Issues  0022898: Email for a new private bugnote was send to a non authorized reporter
Changeset

Prevent email about private note to unprivileged users

In email_collect_recipient(), the logic to exclude users who can't see
bugnotes relied on comparing the issue's last updated timestamp with the
bugnote's date.

Since these dates are not necessarily equal as they are updated
separately when a bugnote is added, this may result in a race condition
causing a notification e-mail about a new private bugnote to be sent to
users not authorized to see them.

Since email_collect_recipient()'s $p_bugnote_id parameter is always null
except for 'bugnote' notifications, the date check is not necessary; it
is sufficient to check that $p_bugnote_id is not null.

Fixes 0022898

mod - core/email_api.php Diff File