Fixed that members without view issues permission are able to list issues on public projects if the non member role has the permission (#20206).

git-svn-id: http://svn.redmine.org/redmine/trunk@14450 e93f8b46-1217-0410-a6f0-8f06a7374b81
2025-11-15 17:56:03 +01:00 · 2015-07-25 06:44:01 +00:00
parent f1072337b9
commit 1def32c4dd
2 changed files with 14 additions and 1 deletions
--- a/app/models/project.rb
+++ b/app/models/project.rb
@@ -188,7 +188,11 @@ class Project < ActiveRecord::Base
      unless options[:member]
        role = user.builtin_role
        if role.allowed_to?(permission)
-          statement_by_role[role] = "#{Project.table_name}.is_public = #{connection.quoted_true}"
+          s = "#{Project.table_name}.is_public = #{connection.quoted_true}"
          if user.id
            s = "(#{s} AND #{Project.table_name}.id NOT IN (SELECT project_id FROM #{Member.table_name} WHERE user_id = #{user.id}))"
          end
          statement_by_role[role] = s
        end
      end
      user.projects_by_role.each do |role, projects|
--- a/test/unit/issue_test.rb
+++ b/test/unit/issue_test.rb
@@ -310,6 +310,15 @@ class IssueTest < ActiveSupport::TestCase
    assert_visibility_match user, issues
  end
  def test_visible_scope_for_member_without_view_issues_permission_and_non_member_role_having_the_permission
    Role.non_member.add_permission!(:view_issues)
    Role.find(1).remove_permission!(:view_issues)
    user = User.find(2)
    assert_equal 0, Issue.where(:project_id => 1).visible(user).count
    assert_equal false, Issue.where(:project_id => 1).first.visible?(user)
  end
  def test_visible_scope_for_member_with_groups_should_return_assigned_issues
    user = User.find(8)
    assert user.groups.any?