Commit c032167d authored by jplang's avatar jplang

Fixed that members without view issues permission are able to list issues on...

Fixed that members without view issues permission are able to list issues on public projects if the non member role has the permission (#20206).

git-svn-id: https://svn.redmine.org/redmine/trunk@14450 e93f8b46-1217-0410-a6f0-8f06a7374b81
parent 1e1f189b
......@@ -188,7 +188,11 @@ class Project < ActiveRecord::Base
unless options[:member]
role = user.builtin_role
if role.allowed_to?(permission)
statement_by_role[role] = "#{Project.table_name}.is_public = #{connection.quoted_true}"
s = "#{Project.table_name}.is_public = #{connection.quoted_true}"
if user.id
s = "(#{s} AND #{Project.table_name}.id NOT IN (SELECT project_id FROM #{Member.table_name} WHERE user_id = #{user.id}))"
end
statement_by_role[role] = s
end
end
user.projects_by_role.each do |role, projects|
......
......@@ -310,6 +310,15 @@ class IssueTest < ActiveSupport::TestCase
assert_visibility_match user, issues
end
def test_visible_scope_for_member_without_view_issues_permission_and_non_member_role_having_the_permission
Role.non_member.add_permission!(:view_issues)
Role.find(1).remove_permission!(:view_issues)
user = User.find(2)
assert_equal 0, Issue.where(:project_id => 1).visible(user).count
assert_equal false, Issue.where(:project_id => 1).first.visible?(user)
end
def test_visible_scope_for_member_with_groups_should_return_assigned_issues
user = User.find(8)
assert user.groups.any?
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment