Merge db0d13cf57192965ed9451f42046236b99824c24 into bbea5e6c2d75a4a710d7838b7bec7e851e046d3c

2026-02-21 11:28:12 +01:00 · 2026-02-20 12:26:56 -08:00 · 2026-02-20 12:26:56 -08:00 · a7adb4a196
commit a7adb4a196
parent bbea5e6c2d db0d13cf57
2 changed files with 77 additions and 0 deletions
--- a/services/convert/issue.go
+++ b/services/convert/issue.go
@ -226,7 +226,27 @@ func ToStopWatches(ctx context.Context, doer *user_model.User, sws []*issues_mod
 // ToTrackedTimeList converts TrackedTimeList to API format
 func ToTrackedTimeList(ctx context.Context, doer *user_model.User, tl issues_model.TrackedTimeList) api.TrackedTimeList {
 	result := make([]*api.TrackedTime, 0, len(tl))
+	permCache := make(map[int64]access_model.Permission)
 	for _, t := range tl {
+		// If the issue is not loaded, conservatively skip this entry to avoid bypassing permission checks.
+		if t.Issue == nil {
+			continue
+		}
+		if err := t.Issue.LoadRepo(ctx); err != nil {
+			continue
+		}
+		perm, ok := permCache[t.Issue.RepoID]
+		if !ok {
+			var err error
+			perm, err = access_model.GetUserRepoPermission(ctx, t.Issue.Repo, doer)
+			if err != nil {
+				continue
+			}
+			permCache[t.Issue.RepoID] = perm
+		}
+		if !perm.CanReadIssuesOrPulls(t.Issue.IsPull) {
+			continue
+		}
 		result = append(result, ToTrackedTime(ctx, doer, t))
 	}
 	return result
--- a/services/convert/issue_test.go
+++ b/services/convert/issue_test.go
@ -83,3 +83,60 @@ func TestToStopWatchesRespectsPermissions(t *testing.T) {
 	assert.Len(t, visibleAdmin, 2)
 	assert.ElementsMatch(t, []string{"repo1", "repo3"}, []string{visibleAdmin[0].RepoName, visibleAdmin[1].RepoName})
 }
+
+func TestToTrackedTimeListRespectsPermissions(t *testing.T) {
+	assert.NoError(t, unittest.PrepareTestDatabase())
+
+	ctx := t.Context()
+	publicIssue := unittest.AssertExistsAndLoadBean(t, &issues_model.Issue{RepoID: 1})
+	privateIssue := unittest.AssertExistsAndLoadBean(t, &issues_model.Issue{RepoID: 3})
+
+	regularUser := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 5})
+	adminUser := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 1})
+
+	publicTT := &issues_model.TrackedTime{IssueID: publicIssue.ID, UserID: regularUser.ID, Time: 3600}
+	privateTT := &issues_model.TrackedTime{IssueID: privateIssue.ID, UserID: regularUser.ID, Time: 1800}
+	assert.NoError(t, db.Insert(ctx, publicTT))
+	assert.NoError(t, db.Insert(ctx, privateTT))
+
+	trackedTimes := issues_model.TrackedTimeList{publicTT, privateTT}
+	assert.NoError(t, trackedTimes.LoadAttributes(ctx))
+
+	visible := ToTrackedTimeList(ctx, regularUser, trackedTimes)
+	assert.Len(t, visible, 1)
+	assert.Equal(t, "repo1", visible[0].Issue.Repo.Name)
+
+	visibleAdmin := ToTrackedTimeList(ctx, adminUser, trackedTimes)
+	assert.Len(t, visibleAdmin, 2)
+	assert.ElementsMatch(t, []string{"repo1", "repo3"}, []string{visibleAdmin[0].Issue.Repo.Name, visibleAdmin[1].Issue.Repo.Name})
+}
+
+func TestToTrackedTimeListSkipsUnloadedIssues(t *testing.T) {
+	assert.NoError(t, unittest.PrepareTestDatabase())
+
+	ctx := t.Context()
+	publicIssue := unittest.AssertExistsAndLoadBean(t, &issues_model.Issue{RepoID: 1})
+	regularUser := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 5})
+
+	publicTT := &issues_model.TrackedTime{IssueID: publicIssue.ID, UserID: regularUser.ID, Time: 3600}
+	assert.NoError(t, db.Insert(ctx, publicTT))
+
+	trackedTimes := issues_model.TrackedTimeList{publicTT}
+	visible := ToTrackedTimeList(ctx, regularUser, trackedTimes)
+	assert.Empty(t, visible)
+}
+
+func TestToTrackedTimeListSkipsRepoLoadErrors(t *testing.T) {
+	assert.NoError(t, unittest.PrepareTestDatabase())
+
+	ctx := t.Context()
+	regularUser := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 5})
+
+	trackedTimes := issues_model.TrackedTimeList{
+		{
+			Issue: &issues_model.Issue{RepoID: 999999, IsPull: false},
+		},
+	}
+	visible := ToTrackedTimeList(ctx, regularUser, trackedTimes)
+	assert.Empty(t, visible)
+}