Merged r17436 from trunk to 3.4-stable (#29133).

git-svn-id: http://svn.redmine.org/redmine/branches/3.4-stable@17437 e93f8b46-1217-0410-a6f0-8f06a7374b81

diff --git a/app/models/issue_query.rb b/app/models/issue_query.rb
index f852c144e2312f99c7a84acd14719daddf55670a..d4982cf13a9c7ef188818a00e246bac4829efe95 100644 (file)
--- a/app/models/issue_query.rb
+++ b/app/models/issue_query.rb
@@ -382,8 +382,26 @@ class IssueQuery < Query
 
   def sql_for_watcher_id_field(field, operator, value)
     db_table = Watcher.table_name
-    "#{Issue.table_name}.id #{ operator == '=' ? 'IN' : 'NOT IN' } (SELECT #{db_table}.watchable_id FROM #{db_table} WHERE #{db_table}.watchable_type='Issue' AND " +
-      sql_for_field(field, '=', value, db_table, 'user_id') + ')'
+
+    me, others = value.partition { |id| ['0', User.current.id.to_s].include?(id) }
+    sql = if others.any?
+      "SELECT #{Issue.table_name}.id FROM #{Issue.table_name} " +
+      "INNER JOIN #{db_table} ON #{Issue.table_name}.id = #{db_table}.watchable_id AND #{db_table}.watchable_type = 'Issue' " +
+      "LEFT OUTER JOIN #{Project.table_name} ON #{Project.table_name}.id = #{Issue.table_name}.project_id " +
+      "WHERE (" +
+        sql_for_field(field, '=', me, db_table, 'user_id') +
+      ') OR (' +
+        Project.allowed_to_condition(User.current, :view_issue_watchers) +
+        ' AND ' +
+        sql_for_field(field, '=', others, db_table, 'user_id') +
+      ')'
+    else
+      "SELECT #{db_table}.watchable_id FROM #{db_table} " +
+      "WHERE #{db_table}.watchable_type='Issue' AND " +
+      sql_for_field(field, '=', me, db_table, 'user_id')
+    end
+
+    "#{Issue.table_name}.id #{ operator == '=' ? 'IN' : 'NOT IN' } (#{sql})"
   end
 
   def sql_for_member_of_group_field(field, operator, value)

diff --git a/test/unit/query_test.rb b/test/unit/query_test.rb
index bb5effdef625fda18dd0dc33f6617e78e0a54df3..dfa2ace6d208964621fe633a4e90bc8b8bb86e29 100644 (file)
--- a/test/unit/query_test.rb
+++ b/test/unit/query_test.rb
@@ -876,6 +876,38 @@ class QueryTest < ActiveSupport::TestCase
     User.current = nil
   end
 
+  def test_filter_on_watched_issues_with_view_issue_watchers_permission
+    User.current = User.find(1)
+    User.current.admin = true
+    assert User.current.allowed_to?(:view_issue_watchers, Project.find(1))
+
+    Issue.find(1).add_watcher User.current
+    Issue.find(3).add_watcher User.find(3)
+    query = IssueQuery.new(:name => '_', :filters => { 'watcher_id' => {:operator => '=', :values => ['me', '3']}})
+    result = find_issues_with_query(query)
+    assert_includes result, Issue.find(1)
+    assert_includes result, Issue.find(3)
+  ensure
+    User.current.reload
+    User.current = nil
+  end
+
+  def test_filter_on_watched_issues_without_view_issue_watchers_permission
+    User.current = User.find(1)
+    User.current.admin = false
+    assert !User.current.allowed_to?(:view_issue_watchers, Project.find(1))
+
+    Issue.find(1).add_watcher User.current
+    Issue.find(3).add_watcher User.find(3)
+    query = IssueQuery.new(:name => '_', :filters => { 'watcher_id' => {:operator => '=', :values => ['me', '3']}})
+    result = find_issues_with_query(query)
+    assert_includes result, Issue.find(1)
+    assert_not_includes result, Issue.find(3)
+  ensure
+    User.current.reload
+    User.current = nil
+  end
+
   def test_filter_on_custom_field_should_ignore_projects_with_field_disabled
     field = IssueCustomField.generate!(:trackers => Tracker.all, :project_ids => [1, 3, 4], :is_for_all => false, :is_filter => true)
     Issue.generate!(:project_id => 3, :tracker_id => 2, :custom_field_values => {field.id.to_s => 'Foo'})