From f03fa395af16933af80ce922a1e51af541e252ce Mon Sep 17 00:00:00 2001
From: lum <klum@labkey.com>
Date: Fri, 10 Oct 2025 14:52:15 -0700
Subject: [PATCH] Permission validation for related issues

---
 issues/src/org/labkey/issue/IssueServiceImpl.java        | 3 ++-
 issues/src/org/labkey/issue/actions/IssueValidation.java | 9 +++++++--
 2 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/issues/src/org/labkey/issue/IssueServiceImpl.java b/issues/src/org/labkey/issue/IssueServiceImpl.java
index cbe0f4deac7..f1d8d2545e1 100644
--- a/issues/src/org/labkey/issue/IssueServiceImpl.java
+++ b/issues/src/org/labkey/issue/IssueServiceImpl.java
@@ -140,7 +140,8 @@ public Issue saveIssue(ViewContext context, Issue issue, Issue.action action, Li
                     for (int curIssueId : prevIssues)
                     {
                         IssueObject relatedIssue = ChangeSummary.relatedIssueCommentHandler(issueObject.getIssueId(), curIssueId, user, true);
-                        IssueManager.saveIssue(getRelatedIssueUser(container, user, relatedIssue), container, relatedIssue);
+                        if (null != relatedIssue)
+                            IssueManager.saveIssue(getRelatedIssueUser(container, user, relatedIssue), container, relatedIssue);
                     }
                 }
 
diff --git a/issues/src/org/labkey/issue/actions/IssueValidation.java b/issues/src/org/labkey/issue/actions/IssueValidation.java
index bac035bcd36..aa84740d0d4 100644
--- a/issues/src/org/labkey/issue/actions/IssueValidation.java
+++ b/issues/src/org/labkey/issue/actions/IssueValidation.java
@@ -231,13 +231,18 @@ public static void relatedIssueHandler(IssueObject issue, User user, Errors erro
                 }
             }
 
-            // Issue 40178: Related Issues need to be in synch when related issues are deleted
+            // Issue 40178: Related Issues need to be in sync when related issues are deleted
             for (Integer originalRelatedId : originalRelatedIssues)
             {
                 if (!newRelatedIssues.contains(originalRelatedId))
                 {
                     IssueObject related = IssueManager.getIssue(null, user, originalRelatedId);
-                    if (null != related)
+                    if (related == null || !related.lookupContainer().hasPermission(user, ReadPermission.class))
+                    {
+                        errors.reject(SpringActionController.ERROR_MSG, "User does not have Read Permission for related issue '" + originalRelatedId + "'");
+                        return;
+                    }
+                    else
                     {
                       related = ChangeSummary.relatedIssueCommentHandler(originalIssue.getIssueId(), related.getIssueId(), user, true );
                       IssueManager.saveIssue(user, related.lookupContainer(), related);