Page Menu
Home
Phabricator
Search
Configure Global Search
Log In
Files
F15421396
D11281.diff
No One
Temporary
Actions
View File
Edit File
Delete File
View Transforms
Subscribe
Mute Notifications
Award Token
Flag For Later
Size
2 KB
Referenced Files
None
Subscribers
None
D11281.diff
View Options
diff --git a/src/applications/metamta/replyhandler/PhabricatorMailReplyHandler.php b/src/applications/metamta/replyhandler/PhabricatorMailReplyHandler.php
--- a/src/applications/metamta/replyhandler/PhabricatorMailReplyHandler.php
+++ b/src/applications/metamta/replyhandler/PhabricatorMailReplyHandler.php
@@ -197,6 +197,36 @@
// for now.
$recipients = $tos + $ccs;
+ // Check if all recipients have proper permissions to the object
+ // Remove them from the list otherwise
+ $recipient_users = id(new PhabricatorPeopleQuery())
+ ->setViewer(PhabricatorUser::getOmnipotentUser())
+ ->withPHIDs(array_keys($recipients))
+ ->execute();
+ $recipient_users = mpull($recipient_users, null, 'getPHID');
+ phlog($recipient_users);
+
+ // Check if user has permissions to view this object
+ foreach ($recipients as $phid => $recipient) {
+ if ($this->mailReceiver
+ && $this->mailReceiver instanceof PhabricatorPolicyInterface
+ && idx($recipient_users, $phid)
+ && $recipient_users[$phid] instanceof PhabricatorUser) {
+ if (!PhabricatorPolicyFilter::hasCapability(
+ $recipient_users[$phid],
+ $this->mailReceiver,
+ PhabricatorPolicyCapability::CAN_VIEW)) {
+ // User has no permission to this object
+ // so remove them from the recipient list
+ unset($recipients[$phid]);
+ }
+ }
+ }
+
+ if (!$recipients) {
+ return $result;
+ }
+
// When multiplexing mail, explicitly include To/Cc information in the
// message body and headers.
diff --git a/src/applications/transactions/editor/PhabricatorApplicationTransactionEditor.php b/src/applications/transactions/editor/PhabricatorApplicationTransactionEditor.php
--- a/src/applications/transactions/editor/PhabricatorApplicationTransactionEditor.php
+++ b/src/applications/transactions/editor/PhabricatorApplicationTransactionEditor.php
@@ -1931,8 +1931,8 @@
$email_to = array_filter(array_unique($this->getMailTo($object)));
$email_cc = array_filter(array_unique($this->getMailCC($object)));
-
$phids = array_merge($email_to, $email_cc);
+
$handles = id(new PhabricatorHandleQuery())
->setViewer($this->requireActor())
->withPHIDs($phids)
File Metadata
Details
Attached
Mime Type
text/plain
Expires
Sat, Mar 22, 11:21 PM (22 h, 2 m ago)
Storage Engine
blob
Storage Format
Encrypted (AES-256-CBC)
Storage Handle
7700732
Default Alt Text
D11281.diff (2 KB)
Attached To
Mode
D11281: Do not send email notifications to users without view permissions
Attached
Detach File
Event Timeline
Log In to Comment