Properly restrict clarification thread to team.

meisterT · meisterT · commit 1e527a1eb742 · 2025-09-12T19:34:48.000Z
Previously, the following could happen: - team A requests a clarification, potentially including details the jury doesn't want to broadcast - the jury replies to everyone, removing the part from the question that they don't want to have broadcasted - team B views the reply from the jury, sees the whole clarification thread Found while working on #3087
diff --git a/webapp/src/Controller/Team/ClarificationController.php b/webapp/src/Controller/Team/ClarificationController.php
@@ -101,9 +101,12 @@ public function viewAction(Request $request, int $clarId): Response
             throw new HttpException(401, 'Permission denied');
         }
 
-        // Get the "parent" message if we have one.
+        // Get the "parent" message if we have one - if we have access to it
         if ($clarification->getInReplyTo()) {
-            $clarification = $clarification->getInReplyTo();
+            $parent = $clarification->getInReplyTo();
+            if ($team->canViewClarification($parent)) {
+                $clarification = $parent;
+            }
         }
 
         // Mark clarification as read.

Original file line number	Diff line number	Diff line change
`@@ -101,9 +101,12 @@ public function viewAction(Request $request, int $clarId): Response`
`101`	`101`	`throw new HttpException(401, 'Permission denied');`
`102`	`102`	`}`
`103`	`103`
`104`		`- // Get the "parent" message if we have one.`
	`104`	`+ // Get the "parent" message if we have one - if we have access to it`
`105`	`105`	`if ($clarification->getInReplyTo()) {`
`106`		`- $clarification = $clarification->getInReplyTo();`
	`106`	`+ $parent = $clarification->getInReplyTo();`
	`107`	`+ if ($team->canViewClarification($parent)) {`
	`108`	`+ $clarification = $parent;`
	`109`	`+ }`
`107`	`110`	`}`
`108`	`111`
`109`	`112`	`// Mark clarification as read.`