Reject project custom field values not visible for the user (#31954, #31925).

Patch by Marius BALTEANU. git-svn-id: http://svn.redmine.org/redmine/trunk@18401 e93f8b46-1217-0410-a6f0-8f06a7374b81
2025-11-15 09:46:02 +01:00 · 2019-08-27 10:20:09 +00:00
parent 0bec019bde
commit ce831ae5e4
2 changed files with 41 additions and 0 deletions
--- a/app/models/project.rb
+++ b/app/models/project.rb
@@ -787,6 +787,18 @@ class Project < ActiveRecord::Base
      end
    end
    # Reject custom fields values not visible by the user
    if attrs['custom_field_values'].present?
      editable_custom_field_ids = editable_custom_field_values(user).map {|v| v.custom_field_id.to_s}
      attrs['custom_field_values'].reject! {|k, v| !editable_custom_field_ids.include?(k.to_s)}
    end
    # Reject custom fields not visible by the user
    if attrs['custom_fields'].present?
      editable_custom_field_ids = editable_custom_field_values(user).map {|v| v.custom_field_id.to_s}
      attrs['custom_fields'].reject! {|c| !editable_custom_field_ids.include?(c['id'].to_s)}
    end
    super(attrs, user)
  end
@@ -864,6 +876,11 @@ class Project < ActiveRecord::Base
    end
  end
  # Returns the custom_field_values that can be edited by the given user
  def editable_custom_field_values(user=nil)
    visible_custom_field_values(user)
  end
  def visible_custom_field_values(user = nil)
    user ||= User.current
    custom_field_values.select do |value|
--- a/test/unit/project_test.rb
+++ b/test/unit/project_test.rb
@@ -1043,4 +1043,28 @@ class ProjectTest < ActiveSupport::TestCase
      Project.distinct.visible.to_a
    end
  end
  def test_safe_attributes_should_include_only_custom_fields_visible_to_user
    cf1 = ProjectCustomField.create!(:name => 'Visible field',
                                   :field_format => 'string',
                                   :visible => false, :role_ids => [1])
    cf2 = ProjectCustomField.create!(:name => 'Non visible field',
                                   :field_format => 'string',
                                   :visible => false, :role_ids => [3])
    user = User.find(2)
    project = Project.find(1)
    project.send :safe_attributes=, {'custom_field_values' => {
                                       cf1.id.to_s => 'value1', cf2.id.to_s => 'value2'
                                     }}, user
    assert_equal 'value1', project.custom_field_value(cf1)
    assert_nil project.custom_field_value(cf2)
    project.send :safe_attributes=, {'custom_fields' => [
                                      {'id' => cf1.id.to_s, 'value' => 'valuea'},
                                      {'id' => cf2.id.to_s, 'value' => 'valueb'}
                                    ]}, user
    assert_equal 'valuea', project.custom_field_value(cf1)
    assert_nil project.custom_field_value(cf2)
  end
 end