fix(sec): permission check for project issue

- Do an access check when loading issues for a project column, currently this is not done and exposes the title, labels and existence of a private issue that the viewer of the project board may not have access to. - The number of issues cannot be calculated in a efficient manner and stored in the database because their number may vary depending on the visibility of the repositories participating in the project. The previous implementation used the pre-calculated numbers stored in each project, which did not reflect that potential variation. - The code is derived from https://github.com/go-gitea/gitea/pull/22865
2025-06-26 17:00:04 +02:00 · 2025-01-29 09:47:37 +01:00 · 2025-01-29 09:47:37 +01:00 · 71a61b5869
commit 71a61b5869
parent d7be78d3ea
7 changed files with 83 additions and 43 deletions
--- a/models/project/issue.go
+++ b/models/project/issue.go
@ -34,20 +34,6 @@ func deleteProjectIssuesByProjectID(ctx context.Context, projectID int64) error
 	return err
 }

-// NumIssues return counter of all issues assigned to a project
-func (p *Project) NumIssues(ctx context.Context) int {
-	c, err := db.GetEngine(ctx).Table("project_issue").
-		Where("project_id=?", p.ID).
-		GroupBy("issue_id").
-		Cols("issue_id").
-		Count()
-	if err != nil {
-		log.Error("NumIssues: %v", err)
-		return 0
-	}
-	return int(c)
-}
-
 // NumClosedIssues return counter of closed issues assigned to a project
 func (p *Project) NumClosedIssues(ctx context.Context) int {
 	c, err := db.GetEngine(ctx).Table("project_issue").