Adds visibility checks on version views (#27676).

Previously not all data on the roadmap and version view where properly checked against the issue visibility setting. Unprivileged users were able to see the total number of issues, their estimations and the open/close status - even if the user was only allowed to see their own issues. Patch by Gregor Schmidt. git-svn-id: http://svn.redmine.org/redmine/trunk@17051 e93f8b46-1217-0410-a6f0-8f06a7374b81
2025-11-15 09:46:02 +01:00 · 2017-11-29 19:37:20 +00:00
parent 96a854a4b3
commit cd75ba33e9
3 changed files with 14 additions and 14 deletions
--- a/app/helpers/versions_helper.rb
+++ b/app/helpers/versions_helper.rb
@@ -57,9 +57,9 @@ module VersionsHelper
    h = Hash.new {|k,v| k[v] = [0, 0]}
    begin
      # Total issue count
-      version.fixed_issues.group(criteria).count.each {|c,s| h[c][0] = s}
+      version.fixed_issues.visible.group(criteria).count.each {|c,s| h[c][0] = s}
      # Open issues count
-      version.fixed_issues.open.group(criteria).count.each {|c,s| h[c][1] = s}
+      version.fixed_issues.visible.open.group(criteria).count.each {|c,s| h[c][1] = s}
    rescue ActiveRecord::RecordNotFound
    # When grouping by an association, Rails throws this exception if there's no result (bug)
    end
--- a/app/views/versions/_overview.html.erb
+++ b/app/views/versions/_overview.html.erb
@@ -14,22 +14,22 @@
 </ul>
 <% end %>

-<% if version.issues_count > 0 %>
-    <%= progress_bar([version.closed_percent, version.completed_percent],
+<% if version.fixed_issues.visible.count > 0 %>
+    <%= progress_bar([version.fixed_issues.visible.closed_percent, version.fixed_issues.visible.completed_percent],
                     :titles =>
-                       ["%s: %0.0f%%" % [l(:label_closed_issues_plural), version.closed_percent],
-                        "%s: %0.0f%%" % [l(:field_done_ratio), version.completed_percent]],
-                     :legend => ('%0.0f%%' % version.completed_percent)) %>
+                       ["%s: %0.0f%%" % [l(:label_closed_issues_plural), version.fixed_issues.visible.closed_percent],
+                        "%s: %0.0f%%" % [l(:field_done_ratio), version.fixed_issues.visible.completed_percent]],
+                     :legend => ('%0.0f%%' % version.fixed_issues.visible.completed_percent)) %>
    <p class="progress-info">
-      <%= link_to(l(:label_x_issues, :count => version.issues_count),
+      <%= link_to(l(:label_x_issues, :count => version.fixed_issues.visible.count),
                  version_filtered_issues_path(version, :status_id => '*')) %>
      &nbsp;
-      (<%= link_to_if(version.closed_issues_count > 0,
-                      l(:label_x_closed_issues_abbr, :count => version.closed_issues_count),
+      (<%= link_to_if(version.fixed_issues.visible.closed_count > 0,
+                      l(:label_x_closed_issues_abbr, :count => version.fixed_issues.visible.closed_count),
                      version_filtered_issues_path(version, :status_id => 'c')) %>
      &#8212;
-      <%= link_to_if(version.open_issues_count > 0,
-                     l(:label_x_open_issues_abbr, :count => version.open_issues_count),
+      <%= link_to_if(version.fixed_issues.visible.open_count > 0,
+                     l(:label_x_open_issues_abbr, :count => version.fixed_issues.visible.open_count),
                     version_filtered_issues_path(version, :status_id => 'o')) %>)
    </p>
 <% else %>
--- a/app/views/versions/show.html.erb
+++ b/app/views/versions/show.html.erb
@@ -12,12 +12,12 @@
 <%= render(:partial => "wiki/content", :locals => {:content => @version.wiki_page.content}) if @version.wiki_page %>

 <div id="version-summary">
-<% if @version.estimated_hours > 0 || User.current.allowed_to?(:view_time_entries, @project) %>
+<% if @version.fixed_issues.visible.estimated_hours > 0 || User.current.allowed_to?(:view_time_entries, @project) %>
 <fieldset class="time-tracking"><legend><%= l(:label_time_tracking) %></legend>
 <table>
 <tr>
    <th><%= l(:field_estimated_hours) %></th>
-    <td class="total-hours"><%= link_to html_hours(l_hours(@version.estimated_hours)),
+    <td class="total-hours"><%= link_to html_hours(l_hours(@version.fixed_issues.visible.estimated_hours)),
                                        project_issues_path(@version.project, :set_filter => 1, :status_id => '*', :fixed_version_id => @version.id, :c => [:tracker, :status, :subject, :estimated_hours], :t => [:estimated_hours]) %></td>
 </tr>
 <% if User.current.allowed_to_view_all_time_entries?(@project) %>