Backported r14796 (#21150).

git-svn-id: http://svn.redmine.org/redmine/branches/2.6-stable@14840 e93f8b46-1217-0410-a6f0-8f06a7374b81

diff --git a/app/models/time_entry.rb b/app/models/time_entry.rb
index b5ca2bbc12a5331108caaf6c1cfa0daa36656919..c60783708e2744d891651a18a0055ce0fff3ba0b 100644 (file)
--- a/app/models/time_entry.rb
+++ b/app/models/time_entry.rb
@@ -80,9 +80,14 @@ class TimeEntry < ActiveRecord::Base
   def safe_attributes=(attrs, user=User.current)
     if attrs
       attrs = super(attrs)
-      if issue_id_changed? && attrs[:project_id].blank? && issue && issue.project_id != project_id
-        if user.allowed_to?(:log_time, issue.project)
-          self.project_id = issue.project_id
+      if issue_id_changed? && issue
+        if issue.visible?(user) && user.allowed_to?(:log_time, issue.project)
+          if attrs[:project_id].blank? && issue.project_id != project_id
+            self.project_id = issue.project_id
+          end
+          @invalid_issue_id = nil
+        else
+          @invalid_issue_id = issue_id
         end
       end
     end
@@ -96,7 +101,7 @@ class TimeEntry < ActiveRecord::Base
   def validate_time_entry
     errors.add :hours, :invalid if hours && (hours < 0 || hours >= 1000)
     errors.add :project_id, :invalid if project.nil?
-    errors.add :issue_id, :invalid if (issue_id && !issue) || (issue && project!=issue.project)
+    errors.add :issue_id, :invalid if (issue_id && !issue) || (issue && project!=issue.project) || @invalid_issue_id
   end
 
   def hours=(h)

diff --git a/app/views/timelog/_form.html.erb b/app/views/timelog/_form.html.erb
index 1f350809dd4d3f71b36696cdf09b99e48878d62e..9399767d1d5e95cb615342b89088af0a2e16342c 100644 (file)
--- a/app/views/timelog/_form.html.erb
+++ b/app/views/timelog/_form.html.erb
@@ -13,7 +13,9 @@
   <% end %>
   <p>
     <%= f.text_field :issue_id, :size => 6 %>
-    <span id="time_entry_issue"><%= "#{@time_entry.issue.tracker.name} ##{@time_entry.issue.id}: #{@time_entry.issue.subject}" if @time_entry.issue.try(:visible?) %></span>
+    <% if @time_entry.issue.try(:visible?) %>
+      <span id="time_entry_issue"><%= "#{@time_entry.issue.tracker.name} ##{@time_entry.issue.id}: #{@time_entry.issue.subject}" %></span>
+    <% end %>
   </p>
   <p><%= f.text_field :spent_on, :size => 10, :required => true %><%= calendar_for('time_entry_spent_on') %></p>
   <p><%= f.text_field :hours, :size => 6, :required => true %></p>

diff --git a/test/functional/timelog_controller_test.rb b/test/functional/timelog_controller_test.rb
index 44e1a3a3413a104436372c2e2c6a8d7f4a3c4d92..54a69b7ba345999dd0c29f89e07de1358d250976 100644 (file)
--- a/test/functional/timelog_controller_test.rb
+++ b/test/functional/timelog_controller_test.rb
@@ -163,6 +163,23 @@ class TimelogControllerTest < ActionController::TestCase
     assert_equal 3, t.user_id
   end
 
+  def test_create_on_issue_that_is_not_visible_should_not_disclose_subject
+    issue = Issue.generate!(:subject => "issue_that_is_not_visible", :is_private => true)
+    assert !issue.visible?(User.find(3))
+
+    @request.session[:user_id] = 3
+    assert_no_difference 'TimeEntry.count' do
+      post :create, :time_entry => {
+        :project_id => '', :issue_id => issue.id.to_s,
+        :activity_id => '11', :spent_on => '2008-03-14', :hours => '7.3'
+      }
+    end
+    assert_error_tag :content => /Issue is invalid/
+    assert_select "input[name=?][value=?]", "time_entry[issue_id]", issue.id.to_s
+    assert_select "#time_entry_issue", 0
+    assert !response.body.include?('issue_that_is_not_visible')
+  end
+
   def test_create_and_continue_at_project_level
     @request.session[:user_id] = 2
     assert_difference 'TimeEntry.count' do