Do not propose watchers that are not allowed to see the object (#33329).

Patch by Marius BALTEANU.

git-svn-id: http://svn.redmine.org/redmine/trunk@20724 e93f8b46-1217-0410-a6f0-8f06a7374b81

diff --git a/app/controllers/watchers_controller.rb b/app/controllers/watchers_controller.rb
index f4e8f22873e3077c9ddd6794c49e6f6241cbcf11..86533c4810c924f71868f7122f2297ce27182c5d 100644 (file)
--- a/app/controllers/watchers_controller.rb
+++ b/app/controllers/watchers_controller.rb
@@ -141,7 +141,12 @@ class WatchersController < ApplicationController
     end
     users = scope.sorted.like(params[:q]).to_a
     if @watchables && @watchables.size == 1
-      users -= @watchables.first.watcher_users
+      watchable_object = @watchables.first
+      users -= watchable_object.watcher_users
+
+      if watchable_object.respond_to?(:visible?)
+        users.reject! {|user| user.is_a?(User) && !watchable_object.visible?(user)}
+      end
     end
     users
   end

diff --git a/test/functional/watchers_controller_test.rb b/test/functional/watchers_controller_test.rb
index 4ab9c8243c7cafc0c64909e2322ede3d0d93584f..4e93ce606299ce908a8db2c513e18689f274bb83 100644 (file)
--- a/test/functional/watchers_controller_test.rb
+++ b/test/functional/watchers_controller_test.rb
@@ -335,6 +335,20 @@ class WatchersControllerTest < Redmine::ControllerTest
     assert_not_include hidden.name, response.body
   end
 
+  def test_autocomplete_for_user_should_not_return_users_without_object_visibility
+    @request.session[:user_id] = 1
+    get :autocomplete_for_user, :params => {
+      q: 'rober',
+      project_id: 'onlinestore',
+      object_id: '4',
+      object_type: 'issue'
+    }, :xhr => true
+
+    assert_response :success
+
+    assert response.body.blank?
+  end
+
   def test_append
     @request.session[:user_id] = 2
     assert_no_difference 'Watcher.count' do