Improve watcher list permissions check to explicitly require @view_issue_watchers@ permission (#40946).

Patch by Felix Schäfer (@felix).



git-svn-id: https://svn.redmine.org/redmine/trunk@22913 e93f8b46-1217-0410-a6f0-8f06a7374b81

lib/plugins/acts_as_watchable/lib/acts_as_watchable.rb

@@ -60,6 +60,16 @@ module Redmine
           users
         end
 
+        # array of watchers that the given user is allowed to see
+        def visible_watcher_users(user = User.current)
+          if user.allowed_to?(:"view_#{self.class.name.underscore}_watchers", project)
+            watcher_users
+          else
+            # without permission, the user can only see themselves (if they're a watcher)
+            watcher_users & [user]
+          end
+        end
+
         # Adds user as a watcher
         def add_watcher(user)
           if persisted?