Update services/convert/issue.go

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Signed-off-by: Lunny Xiao <xiaolunwen@gmail.com>

services/convert/issue.go

@@ -228,22 +228,24 @@ func ToTrackedTimeList(ctx context.Context, doer *user_model.User, tl issues_mod
 	result := make([]*api.TrackedTime, 0, len(tl))
 	permCache := make(map[int64]access_model.Permission)
 	for _, t := range tl {
-		if t.Issue != nil {
+		// If the issue is not loaded, conservatively skip this entry to avoid bypassing permission checks.
-			if err := t.Issue.LoadRepo(ctx); err != nil {
+		if t.Issue == nil {
-				continue
+			continue
-			}
+		}
-			perm, ok := permCache[t.Issue.RepoID]
+		if err := t.Issue.LoadRepo(ctx); err != nil {
-			if !ok {
+			continue
-				var err error
+		}
-				perm, err = access_model.GetUserRepoPermission(ctx, t.Issue.Repo, doer)
+		perm, ok := permCache[t.Issue.RepoID]
-				if err != nil {
+		if !ok {
-					continue
+			var err error
-				}
+			perm, err = access_model.GetUserRepoPermission(ctx, t.Issue.Repo, doer)
-				permCache[t.Issue.RepoID] = perm
+			if err != nil {
-			}
-			if !perm.CanReadIssuesOrPulls(t.Issue.IsPull) {
 				continue
 			}
+			permCache[t.Issue.RepoID] = perm
+		}
+		if !perm.CanReadIssuesOrPulls(t.Issue.IsPull) {
+			continue
 		}
 		result = append(result, ToTrackedTime(ctx, doer, t))
 	}