Improve watcher list permissions check to explicitly require @view_issue_watchers@ permission (#40946).

Patch by Felix Schäfer (@felix). git-svn-id: https://svn.redmine.org/redmine/trunk@22913 e93f8b46-1217-0410-a6f0-8f06a7374b81
2025-11-08 06:15:59 +01:00 · 2024-07-08 21:28:24 +00:00
parent fe38f5e83f
commit 2d20811f40
7 changed files with 67 additions and 1 deletions
--- a/test/functional/issues_controller_test.rb
+++ b/test/functional/issues_controller_test.rb
@@ -2801,6 +2801,17 @@ class IssuesControllerTest < Redmine::ControllerTest
    end
  end

+  def test_show_should_not_display_watchers_without_permission
+    @request.session[:user_id] = 2
+    Role.find(1).remove_permission! :view_issue_watchers
+    issue = Issue.find(1)
+    issue.add_watcher User.find(2)
+    issue.add_watcher Group.find(10)
+    get(:show, :params => {:id => 1})
+    assert_select 'div#watchers ul', 0
+    assert_select 'h3', {text: /Watchers \(\d*\)/, count: 0}
+  end
+
  def test_show_should_display_watchers_with_gravatars
    @request.session[:user_id] = 2
    issue = Issue.find(1)