[#6460] Fixed security checks sometimes using incorrect roles
When doing a has_access() check for a given user against a given
artifact without explicitly specifying the project, c.project was being
used to get the list of user's roles instead of the artifact's project
attribute. If c.project was not the project to which the artifact
belonged, the the wrong set of role_ids were being used, resulting in
access being denied. It's a bit nonsensical to use an unrelated
project's role_ids to check access to an artifact, and this was breaking
notifications, which fire all pending notifications, regardless of the
context under which fire_ready() was called.
Signed-off-by: Cory Johns <cjohns@slashdotmedia.com>
4 files changed
