Commit 248941e4 authored by jplang's avatar jplang

Assignable users should not include users that cannot view the tracker (#23172).

git-svn-id: https://svn.redmine.org/redmine/trunk@15586 e93f8b46-1217-0410-a6f0-8f06a7374b81
parent 96908e31
......@@ -35,16 +35,8 @@ class ContextMenusController < ApplicationController
:add_watchers => User.current.allowed_to?(:add_issue_watchers, @projects),
:delete => @issues.all?(&:deletable?)
}
if @project
if @issue
@assignables = @issue.assignable_users
else
@assignables = @project.assignable_users
end
else
#when multiple projects, we only keep the intersection of each set
@assignables = @projects.map(&:assignable_users).reduce(:&)
end
@assignables = @issues.map(&:assignable_users).reduce(:&)
@trackers = @projects.map {|p| Issue.allowed_target_trackers(p) }.reduce(:&)
@versions = @projects.map {|p| p.shared_versions.open}.reduce(:&)
......
......@@ -854,7 +854,7 @@ class Issue < ActiveRecord::Base
# Users the issue can be assigned to
def assignable_users
users = project.assignable_users.to_a
users = project.assignable_users(tracker).to_a
users << author if author && author.active?
users << assigned_to if assigned_to
users.uniq.sort
......
......@@ -512,16 +512,27 @@ class Project < ActiveRecord::Base
end
# Return a Principal scope of users/groups issues can be assigned to
def assignable_users
def assignable_users(tracker=nil)
return @assignable_users[tracker] if @assignable_users && @assignable_users[tracker]
types = ['User']
types << 'Group' if Setting.issue_group_assignment?
@assignable_users ||= Principal.
scope = Principal.
active.
joins(:members => :roles).
where(:type => types, :members => {:project_id => id}, :roles => {:assignable => true}).
uniq.
sorted
if tracker
# Rejects users that cannot the view the tracker
roles = Role.where(:assignable => true).select {|role| role.permissions_tracker?(:view_issues, tracker)}
scope = scope.where(:roles => {:id => roles.map(&:id)})
end
@assignable_users ||= {}
@assignable_users[tracker] = scope
end
# Returns the mail addresses of users that should be always notified on project events
......
......@@ -222,6 +222,13 @@ class Role < ActiveRecord::Base
permissions_all_trackers[permission.to_s].to_s != '0'
end
# Returns true if permission is given for the tracker
# (explicitly or for all trackers)
def permissions_tracker?(permission, tracker)
permissions_all_trackers?(permission) ||
permissions_tracker_ids?(permission, tracker.try(:id))
end
# Sets the trackers that are allowed for a permission.
# tracker_ids can be an array of tracker ids or :all for
# no restrictions.
......
......@@ -2292,6 +2292,19 @@ class IssueTest < ActiveSupport::TestCase
end
end
def test_assignable_users_should_not_include_users_that_cannot_view_the_tracker
user = User.find(3)
role = Role.find(2)
role.set_permission_trackers :view_issues, [1, 3]
role.save!
issue1 = Issue.new(:project_id => 1, :tracker_id => 1)
issue2 = Issue.new(:project_id => 1, :tracker_id => 2)
assert_include user, issue1.assignable_users
assert_not_include user, issue2.assignable_users
end
def test_create_should_send_email_notification
ActionMailer::Base.deliveries.clear
issue = Issue.new(:project_id => 1, :tracker_id => 1,
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment