Nemcio/Redmine
1
0
Fork 0
mirror of https://github.com/redmine/redmine.git synced 2025-11-11 15:56:03 +01:00
Code Issues Packages Projects Releases Activity

Respect field visibility when showing associated issue fields (#37255).

Browse Source 
Patch by Holger Just.


git-svn-id: https://svn.redmine.org/redmine/trunk@21645 e93f8b46-1217-0410-a6f0-8f06a7374b81
This commit is contained in:
Marius Balteanu
2022-06-16 21:43:58 +00:00
parent 04b91b3578
commit 1a3ee38c2e
3 changed files with 27 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
app/helpers/application_helper.rb
View File

@@ -295,6 +295,7 @@ module ApplicationHelper
object.filename object.filename
end end
when 'CustomValue', 'CustomFieldValue' when 'CustomValue', 'CustomFieldValue'
return "" unless object.customized&.visible?
if object.custom_field if object.custom_field
f = object.custom_field.format.formatted_custom_value(self, object, html) f = object.custom_field.format.formatted_custom_value(self, object, html)
if f.nil? || f.is_a?(String) if f.nil? || f.is_a?(String)

6
app/models/query.rb
View File

@@ -113,7 +113,8 @@ class QueryAssociationColumn < QueryColumn
end end
def value_object(object) def value_object(object)
if assoc = object.send(@association) assoc = object.send(@association)
if assoc && assoc.visible?
assoc.send @attribute assoc.send @attribute
end end
end end
@@ -184,7 +185,8 @@ class QueryAssociationCustomFieldColumn < QueryCustomFieldColumn
end end
def value_object(object) def value_object(object)
if assoc = object.send(@association) assoc = object.send(@association)
if assoc && assoc.visible?
super(assoc) super(assoc)
end end
end end

22
test/functional/timelog_controller_test.rb
View File

@@ -1466,6 +1466,28 @@ class TimelogControllerTest < Redmine::ControllerTest
assert_select 'td.issue_cf_2', :text => 'filter_on_issue_custom_field' assert_select 'td.issue_cf_2', :text => 'filter_on_issue_custom_field'
end end
def test_index_should_not_disclose_issue_data
category = IssueCategory.find 2
issue =
Issue.generate!(
:project_id => 1, :tracker_id => 1,
:custom_field_values => {2 => 'filter_on_issue_custom_field'}
)
entry = TimeEntry.generate!(:issue => issue, :hours => 2.5)
session[:user_id] = 3
issue.update_columns is_private: true, category_id: category.id
assert_not issue.visible?(User.find(3))
# since the issue is not visible, its custom fields and associated ojects should not be visible either
get :index, :params => {
:c => %w(issue issue.cf_2 issue.category)
}
assert_response :success
assert_select 'td.issue', :text => /#{issue.subject}/, :count => 0
assert_select 'td.issue-category', :text => /#{category.name}/, :count => 0
assert_select 'td.issue_cf_2', :text => 'filter_on_issue_custom_field', :count => 0
end
def test_index_with_time_entry_custom_field_column def test_index_with_time_entry_custom_field_column
field = TimeEntryCustomField.generate!(:field_format => 'string') field = TimeEntryCustomField.generate!(:field_format => 'string')
entry = TimeEntry.generate!(:hours => 2.5, :custom_field_values => {field.id => 'CF Value'}) entry = TimeEntry.generate!(:hours => 2.5, :custom_field_values => {field.id => 'CF Value'})