fix(sec): permission check for project issue

earl-warren · earl-warren · commit 913e3b536ed1 · 2025-02-05T22:05:22.000Z
- Do an access check when loading issues for a project board, currently this is not done and exposes the title, labels and existence of a private issue that the viewer of the project board may not have access to. - The number of issues cannot be calculated in a efficient manner and stored in the database because their number may vary depending on the visibility of the repositories participating in the project. The previous implementation used the pre-calculated numbers stored in each project, which did not reflect that potential variation. - The code is derived from go-gitea/gitea#22865 (cherry picked from commit 2193afaeb9954a5778f5a47aafd0e6fbbf48d000)
diff --git a/models/issues/issue_project.go b/models/issues/issue_project.go
@@ -7,8 +7,10 @@ import (
 	"context"
 
 	"code.gitea.io/gitea/models/db"
+	org_model "code.gitea.io/gitea/models/organization"
 	project_model "code.gitea.io/gitea/models/project"
 	user_model "code.gitea.io/gitea/models/user"
+	"code.gitea.io/gitea/modules/optional"
 	"code.gitea.io/gitea/modules/util"
 )
 
@@ -48,22 +50,28 @@ func (issue *Issue) ProjectBoardID(ctx context.Context) int64 {
 }
 
 // LoadIssuesFromBoard load issues assigned to this board
-func LoadIssuesFromBoard(ctx context.Context, b *project_model.Board) (IssueList, error) {
-	issueList, err := Issues(ctx, &IssuesOptions{
+func LoadIssuesFromBoard(ctx context.Context, b *project_model.Board, doer *user_model.User, org *org_model.Organization, isClosed optional.Option[bool]) (IssueList, error) {
+	issueOpts := &IssuesOptions{
 		ProjectBoardID: b.ID,
 		ProjectID:      b.ProjectID,
 		SortType:       "project-column-sorting",
-	})
+		IsClosed:       isClosed,
+	}
+	if doer != nil {
+		issueOpts.User = doer
+		issueOpts.Org = org
+	} else {
+		issueOpts.AllPublic = true
+	}
+
+	issueList, err := Issues(ctx, issueOpts)
 	if err != nil {
 		return nil, err
 	}
-
 	if b.Default {
-		issues, err := Issues(ctx, &IssuesOptions{
-			ProjectBoardID: db.NoConditionID,
-			ProjectID:      b.ProjectID,
-			SortType:       "project-column-sorting",
-		})
+		issueOpts.ProjectBoardID = db.NoConditionID
+
+		issues, err := Issues(ctx, issueOpts)
 		if err != nil {
 			return nil, err
 		}
@@ -78,10 +86,10 @@ func LoadIssuesFromBoard(ctx context.Context, b *project_model.Board) (IssueList
 }
 
 // LoadIssuesFromBoardList load issues assigned to the boards
-func LoadIssuesFromBoardList(ctx context.Context, bs project_model.BoardList) (map[int64]IssueList, error) {
+func LoadIssuesFromBoardList(ctx context.Context, bs project_model.BoardList, doer *user_model.User, org *org_model.Organization, isClosed optional.Option[bool]) (map[int64]IssueList, error) {
 	issuesMap := make(map[int64]IssueList, len(bs))
 	for i := range bs {
-		il, err := LoadIssuesFromBoard(ctx, bs[i])
+		il, err := LoadIssuesFromBoard(ctx, bs[i], doer, org, isClosed)
 		if err != nil {
 			return nil, err
 		}
@@ -160,3 +168,36 @@ func IssueAssignOrRemoveProject(ctx context.Context, issue *Issue, doer *user_mo
 		})
 	})
 }
+
+// NumIssuesInProjects returns the amount of issues assigned to one of the project
+// in the list which the doer can access.
+func NumIssuesInProjects(ctx context.Context, pl []*project_model.Project, doer *user_model.User, org *org_model.Organization, isClosed optional.Option[bool]) (map[int64]int, error) {
+	numMap := make(map[int64]int, len(pl))
+	for _, p := range pl {
+		num, err := NumIssuesInProject(ctx, p, doer, org, isClosed)
+		if err != nil {
+			return nil, err
+		}
+		numMap[p.ID] = num
+	}
+
+	return numMap, nil
+}
+
+// NumIssuesInProject returns the amount of issues assigned to the project which
+// the doer can access.
+func NumIssuesInProject(ctx context.Context, p *project_model.Project, doer *user_model.User, org *org_model.Organization, isClosed optional.Option[bool]) (int, error) {
+	numIssuesInProject := int(0)
+	bs, err := p.GetBoards(ctx)
+	if err != nil {
+		return 0, err
+	}
+	im, err := LoadIssuesFromBoardList(ctx, bs, doer, org, isClosed)
+	if err != nil {
+		return 0, err
+	}
+	for _, il := range im {
+		numIssuesInProject += len(il)
+	}
+	return numIssuesInProject, nil
+}
diff --git a/models/project/board.go b/models/project/board.go
@@ -70,20 +70,6 @@ func (Board) TableName() string {
 	return "project_board"
 }
 
-// NumIssues return counter of all issues assigned to the board
-func (b *Board) NumIssues(ctx context.Context) int {
-	c, err := db.GetEngine(ctx).Table("project_issue").
-		Where("project_id=?", b.ProjectID).
-		And("project_board_id=?", b.ID).
-		GroupBy("issue_id").
-		Cols("issue_id").
-		Count()
-	if err != nil {
-		return 0
-	}
-	return int(c)
-}
-
 func (b *Board) GetIssues(ctx context.Context) ([]*ProjectIssue, error) {
 	issues := make([]*ProjectIssue, 0, 5)
 	if err := db.GetEngine(ctx).Where("project_id=?", b.ProjectID).
diff --git a/models/project/issue.go b/models/project/issue.go
@@ -34,20 +34,6 @@ func deleteProjectIssuesByProjectID(ctx context.Context, projectID int64) error
 	return err
 }
 
-// NumIssues return counter of all issues assigned to a project
-func (p *Project) NumIssues(ctx context.Context) int {
-	c, err := db.GetEngine(ctx).Table("project_issue").
-		Where("project_id=?", p.ID).
-		GroupBy("issue_id").
-		Cols("issue_id").
-		Count()
-	if err != nil {
-		log.Error("NumIssues: %v", err)
-		return 0
-	}
-	return int(c)
-}
-
 // NumClosedIssues return counter of closed issues assigned to a project
 func (p *Project) NumClosedIssues(ctx context.Context) int {
 	c, err := db.GetEngine(ctx).Table("project_issue").
diff --git a/routers/web/org/projects.go b/routers/web/org/projects.go
@@ -126,6 +126,19 @@ func Projects(ctx *context.Context) {
 	ctx.Data["PageIsViewProjects"] = true
 	ctx.Data["SortType"] = sortType
 
+	numOpenIssues, err := issues_model.NumIssuesInProjects(ctx, projects, ctx.Doer, ctx.Org.Organization, optional.Some(false))
+	if err != nil {
+		ctx.ServerError("NumIssuesInProjects", err)
+		return
+	}
+	numClosedIssues, err := issues_model.NumIssuesInProjects(ctx, projects, ctx.Doer, ctx.Org.Organization, optional.Some(true))
+	if err != nil {
+		ctx.ServerError("NumIssuesInProjects", err)
+		return
+	}
+	ctx.Data["NumOpenIssuesInProject"] = numOpenIssues
+	ctx.Data["NumClosedIssuesInProject"] = numClosedIssues
+
 	ctx.HTML(http.StatusOK, tplProjects)
 }
 
@@ -332,7 +345,7 @@ func ViewProject(ctx *context.Context) {
 		return
 	}
 
-	issuesMap, err := issues_model.LoadIssuesFromBoardList(ctx, boards)
+	issuesMap, err := issues_model.LoadIssuesFromBoardList(ctx, boards, ctx.Doer, ctx.Org.Organization, optional.None[bool]())
 	if err != nil {
 		ctx.ServerError("LoadIssuesOfBoards", err)
 		return
diff --git a/routers/web/repo/projects.go b/routers/web/repo/projects.go
@@ -125,6 +125,19 @@ func Projects(ctx *context.Context) {
 	ctx.Data["IsProjectsPage"] = true
 	ctx.Data["SortType"] = sortType
 
+	numOpenIssues, err := issues_model.NumIssuesInProjects(ctx, projects, ctx.Doer, ctx.Org.Organization, optional.Some(false))
+	if err != nil {
+		ctx.ServerError("NumIssuesInProjects", err)
+		return
+	}
+	numClosedIssues, err := issues_model.NumIssuesInProjects(ctx, projects, ctx.Doer, ctx.Org.Organization, optional.Some(true))
+	if err != nil {
+		ctx.ServerError("NumIssuesInProjects", err)
+		return
+	}
+	ctx.Data["NumOpenIssuesInProject"] = numOpenIssues
+	ctx.Data["NumClosedIssuesInProject"] = numClosedIssues
+
 	ctx.HTML(http.StatusOK, tplProjects)
 }
 
@@ -310,7 +323,7 @@ func ViewProject(ctx *context.Context) {
 		return
 	}
 
-	issuesMap, err := issues_model.LoadIssuesFromBoardList(ctx, boards)
+	issuesMap, err := issues_model.LoadIssuesFromBoardList(ctx, boards, ctx.Doer, nil, optional.None[bool]())
 	if err != nil {
 		ctx.ServerError("LoadIssuesOfBoards", err)
 		return
diff --git a/templates/projects/list.tmpl b/templates/projects/list.tmpl
@@ -49,11 +49,11 @@
 				<div class="group">
 					<div class="flex-text-block">
 						{{svg "octicon-issue-opened" 14}}
-						{{ctx.Locale.PrettyNumber (.NumOpenIssues ctx)}}&nbsp;{{ctx.Locale.Tr "repo.issues.open_title"}}
+						{{ctx.Locale.PrettyNumber (index $.NumOpenIssuesInProject .ID)}}&nbsp;{{ctx.Locale.Tr "repo.issues.open_title"}}
 					</div>
 					<div class="flex-text-block">
 						{{svg "octicon-check" 14}}
-						{{ctx.Locale.PrettyNumber (.NumClosedIssues ctx)}}&nbsp;{{ctx.Locale.Tr "repo.issues.closed_title"}}
+						{{ctx.Locale.PrettyNumber (index $.NumClosedIssuesInProject .ID)}}&nbsp;{{ctx.Locale.Tr "repo.issues.closed_title"}}
 					</div>
 				</div>
 				{{if and $.CanWriteProjects (not $.Repository.IsArchived)}}
diff --git a/templates/projects/view.tmpl b/templates/projects/view.tmpl
@@ -70,7 +70,7 @@
 				<div class="project-column-header{{if $canWriteProject}} tw-cursor-grab{{end}}">
 					<div class="ui large label project-column-title tw-py-1">
 						<div class="ui small circular grey label project-column-issue-count">
-							{{.NumIssues ctx}}
+							{{len (index $.IssuesMap .ID)}}
 						</div>
 						<span class="project-column-title-label">{{.Title}}</span>
 					</div>
