opendev/storyboard
Code Issues Proposed changes

Check story permissions when populating automatic worklists

Browse Source 
Currently, when populating the items of an automatic worklist,
the permissions set on private stories is not taken into account.

This commit fixes this issue by filtering out stories and tasks
that the user shouldn't be able to see when finding the list
of stories and tasks which match the worklist's filters.

Change-Id: If37be62890db913b428af4e6a94ee21754c6ac56
This commit is contained in:
Adam Coldrick
2017-10-04 20:19:09 +01:00
parent 9937096cfc
commit 1080289891
2 changed files with 19 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
storyboard/api/v1/wmodels.py
View File

@@ -817,7 +817,7 @@ class Worklist(base.APIBase):
@nodoc
def _resolve_automatic_items(self, worklist, user_id):
items, stories, tasks = worklists_api.filter_items(worklist)
items, stories, tasks = worklists_api.filter_items(worklist, user_id)
story_cache = {story.id: story for story in stories}
task_cache = {task.id: task for task in tasks}
for item in items: