Less strict handling of related issues for restricted issues (#6302)

LabKey · Feb 14, 2025 · 1277570 · 1277570
1 parent 434c034
commit 1277570
Show file tree

Hide file tree

Showing 3 changed files with 30 additions and 7 deletions.
diff --git a/issues/src/org/labkey/issue/model/IssueManager.java b/issues/src/org/labkey/issue/model/IssueManager.java
@@ -186,6 +186,18 @@ private static IssueObject _getRawIssue(@Nullable Container c, int issueId)
 
     @Nullable
     public static IssueObject getIssue(@Nullable Container c, User user, int issueId)
+    {
+        return getIssue(c, user, issueId, true);
+    }
+
+    @Nullable
+    public static IssueObject getIssue(
+            @Nullable Container c,
+            User user,
+            int issueId,
+            boolean throwOnRestrictedFailure        // controls whether we throw on a RestrictedIssueProvider failure
+                                                    // or just return null
+    )
     {
         IssueObject issue = _getIssue(c, user, issueId);
 
@@ -206,12 +218,17 @@ public static IssueObject getIssue(@Nullable Container c, User user, int issueId
 
             if (!provider.hasPermission(user, issue, relatedIssues, errors))
             {
-                StringBuilder msg = new StringBuilder(errors.isEmpty() ? "Access denied" : "");
-                for (ValidationError ve : errors)
+                if (throwOnRestrictedFailure)
                 {
-                    msg.append(ve.getMessage()).append("\n");
+                    StringBuilder msg = new StringBuilder(errors.isEmpty() ? "Access denied" : "");
+                    for (ValidationError ve : errors)
+                    {
+                        msg.append(ve.getMessage()).append("\n");
+                    }
+                    throw new UnauthorizedException(msg.toString());
                 }
-                throw new UnauthorizedException(msg.toString());
+                else
+                    return null;
             }
         }
         return issue;
@@ -280,7 +297,7 @@ public static List<IssueObject.CommentObject> getCommentsForRelatedIssues(IssueO
         for (Integer relatedIssueInt : relatedIssues)
         {
             // only add related issues that the user has permission to see
-            IssueObject relatedIssue = IssueManager.getIssue(null, user, relatedIssueInt);
+            IssueObject relatedIssue = IssueManager.getIssue(null, user, relatedIssueInt, false);
             if (relatedIssue != null)
             {
                 boolean hasReadPermission = ContainerManager.getForId(relatedIssue.getContainerId()).hasPermission(user, ReadPermission.class);
@@ -315,7 +332,7 @@ public static boolean hasRelatedIssues(IssueObject issue, User user)
     {
         for (Integer relatedIssueInt : issue.getRelatedIssues())
         {
-            IssueObject relatedIssue = IssueManager.getIssue(null, user, relatedIssueInt);
+            IssueObject relatedIssue = IssueManager.getIssue(null, user, relatedIssueInt, false);
             if (relatedIssue != null && relatedIssue.getCommentObjects().size() > 0)
             {
                 boolean hasReadPermission = ContainerManager.getForId(relatedIssue.getContainerId()).hasPermission(user, ReadPermission.class);

diff --git a/issues/src/org/labkey/issue/model/IssuePage.java b/issues/src/org/labkey/issue/model/IssuePage.java
@@ -674,7 +674,7 @@ public HtmlString renderAttachments(ViewContext context, CommentObject comment)
 
     public String renderIssueIdLink(Integer id)
     {
-        IssueObject issue = IssueManager.getIssue(null, _user, id);
+        IssueObject issue = IssueManager.getIssue(null, _user, id, false);
         Container c = issue != null ? issue.lookupContainer() : null;
         if (c != null && c.hasPermission(_user, ReadPermission.class))
         {

diff --git a/issues/src/org/labkey/issue/view/RelatedIssuesView.java b/issues/src/org/labkey/issue/view/RelatedIssuesView.java
@@ -37,6 +37,7 @@
 import org.labkey.api.view.ViewContext;
 import org.labkey.issue.model.IssueListDef;
 import org.labkey.issue.model.IssueManager;
+import org.labkey.issue.model.IssueObject;
 import org.labkey.issue.query.IssuesQuerySchema;
 import org.springframework.validation.BindException;
 
@@ -67,13 +68,18 @@ public RelatedIssuesView(@NotNull ViewContext context, @NotNull Set<Integer> rel
             Integer issueId = (Integer)m.get("issueId");
             String containerId = (String)m.get("container");
             Container c = ContainerManager.getForId(containerId);
+
             if (c == null || !c.hasPermission(getViewContext().getUser(), ReadPermission.class))
                 return;
 
             IssueListDef d = IssueManager.getIssueListDef(c, issueDefId);
             if (d == null)
                 return;
 
+            IssueObject issue = IssueManager.getIssue(null, context.getUser(), issueId, false);
+            if (issue == null)
+                return;
+
             // If the user doesn't have ReadPermission to the domain container, we won't be able to create a query
             // table in that container.  In this case, just use the issue's container.  As a consequence, any other
             // from the same domain definition issueListDef that live in different containers will appear in separate grids.