Nemcio/Redmine
1
0
Fork 0
mirror of https://github.com/redmine/redmine.git synced 2025-11-15 09:46:02 +01:00
Code Issues Packages Projects Releases Activity

Reject project custom field values not visible for the user (#31954, #31925).

Browse Source 
Patch by Marius BALTEANU.


git-svn-id: http://svn.redmine.org/redmine/trunk@18401 e93f8b46-1217-0410-a6f0-8f06a7374b81
This commit is contained in:
Go MAEDA
2019-08-27 10:20:09 +00:00
parent 0bec019bde
commit ce831ae5e4
2 changed files with 41 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
test/unit/project_test.rb
View File

@@ -1043,4 +1043,28 @@ class ProjectTest < ActiveSupport::TestCase
Project.distinct.visible.to_a
end
end
def test_safe_attributes_should_include_only_custom_fields_visible_to_user
cf1 = ProjectCustomField.create!(:name => 'Visible field',
:field_format => 'string',
:visible => false, :role_ids => [1])
cf2 = ProjectCustomField.create!(:name => 'Non visible field',
:field_format => 'string',
:visible => false, :role_ids => [3])
user = User.find(2)
project = Project.find(1)
project.send :safe_attributes=, {'custom_field_values' => {
cf1.id.to_s => 'value1', cf2.id.to_s => 'value2'
}}, user
assert_equal 'value1', project.custom_field_value(cf1)
assert_nil project.custom_field_value(cf2)
project.send :safe_attributes=, {'custom_fields' => [
{'id' => cf1.id.to_s, 'value' => 'valuea'},
{'id' => cf2.id.to_s, 'value' => 'valueb'}
]}, user
assert_equal 'valuea', project.custom_field_value(cf1)
assert_nil project.custom_field_value(cf2)
end
end