Respect field visibility when showing associated issue fields (#37255).

Patch by Holger Just.

git-svn-id: https://svn.redmine.org/redmine/trunk@21645 e93f8b46-1217-0410-a6f0-8f06a7374b81

diff --git a/app/helpers/application_helper.rb b/app/helpers/application_helper.rb
index 4f2debeb7833606a38616d0ea727f20e42430bbf..0f3b763a138f9720af321f4afff3829c7262a0c9 100644 (file)
--- a/app/helpers/application_helper.rb
+++ b/app/helpers/application_helper.rb
@@ -295,6 +295,7 @@ module ApplicationHelper
         object.filename
       end
     when 'CustomValue', 'CustomFieldValue'
+      return "" unless object.customized&.visible?
       if object.custom_field
         f = object.custom_field.format.formatted_custom_value(self, object, html)
         if f.nil? || f.is_a?(String)

diff --git a/app/models/query.rb b/app/models/query.rb
index 0186cc379a3ef59c0dbc17497d029a45e4938dd6..7695bc165213d18ea6fc5ba611ec114faba43fdf 100644 (file)
--- a/app/models/query.rb
+++ b/app/models/query.rb
@@ -113,7 +113,8 @@ class QueryAssociationColumn < QueryColumn
   end
 
   def value_object(object)
-    if assoc = object.send(@association)
+    assoc = object.send(@association)
+    if assoc && assoc.visible?
       assoc.send @attribute
     end
   end
@@ -184,7 +185,8 @@ class QueryAssociationCustomFieldColumn < QueryCustomFieldColumn
   end
 
   def value_object(object)
-    if assoc = object.send(@association)
+    assoc = object.send(@association)
+    if assoc && assoc.visible?
       super(assoc)
     end
   end

diff --git a/test/functional/timelog_controller_test.rb b/test/functional/timelog_controller_test.rb
index 51fc9c3103e25ce43d6b12736af945f18622904f..15c15e7c022dbbcde61b0f711899ad5e442c25c1 100644 (file)
--- a/test/functional/timelog_controller_test.rb
+++ b/test/functional/timelog_controller_test.rb
@@ -1466,6 +1466,28 @@ class TimelogControllerTest < Redmine::ControllerTest
     assert_select 'td.issue_cf_2', :text => 'filter_on_issue_custom_field'
   end
 
+  def test_index_should_not_disclose_issue_data
+    category = IssueCategory.find 2
+    issue =
+      Issue.generate!(
+        :project_id => 1, :tracker_id => 1,
+        :custom_field_values => {2 => 'filter_on_issue_custom_field'}
+      )
+    entry = TimeEntry.generate!(:issue => issue, :hours => 2.5)
+    session[:user_id] = 3
+    issue.update_columns is_private: true, category_id: category.id
+    assert_not issue.visible?(User.find(3))
+    # since the issue is not visible, its custom fields and associated ojects should not be visible either
+
+    get :index, :params => {
+      :c => %w(issue issue.cf_2 issue.category)
+    }
+    assert_response :success
+    assert_select 'td.issue', :text => /#{issue.subject}/, :count => 0
+    assert_select 'td.issue-category', :text => /#{category.name}/, :count => 0
+    assert_select 'td.issue_cf_2', :text => 'filter_on_issue_custom_field', :count => 0
+  end
+
   def test_index_with_time_entry_custom_field_column
     field = TimeEntryCustomField.generate!(:field_format => 'string')
     entry = TimeEntry.generate!(:hours => 2.5, :custom_field_values => {field.id => 'CF Value'})