when 'all'
nil
when 'default'
- user_ids = [user.id] + user.groups.map(&:id)
- "(#{table_name}.is_private = #{connection.quoted_false} OR #{table_name}.author_id = #{user.id} OR #{table_name}.assigned_to_id IN (#{user_ids.join(',')}))"
+ if user.logged?
+ user_ids = [user.id] + user.groups.map(&:id)
+ "(#{table_name}.is_private = #{connection.quoted_false} OR #{table_name}.author_id = #{user.id} OR #{table_name}.assigned_to_id IN (#{user_ids.join(',')}))"
+ else
+ "(#{table_name}.is_private = #{connection.quoted_false})"
+ end
when 'own'
- user_ids = [user.id] + user.groups.map(&:id)
- "(#{table_name}.author_id = #{user.id} OR #{table_name}.assigned_to_id IN (#{user_ids.join(',')}))"
+ if user.logged?
+ user_ids = [user.id] + user.groups.map(&:id)
+ "(#{table_name}.author_id = #{user.id} OR #{table_name}.assigned_to_id IN (#{user_ids.join(',')}))"
+ else
+ '1=0'
+ end
else
'1=0'
end
when 'all'
true
when 'default'
- !self.is_private? || self.author == user || user.is_or_belongs_to?(assigned_to)
+ !self.is_private? || (user.logged? && (self.author == user || user.is_or_belongs_to?(assigned_to)))
when 'own'
- self.author == user || user.is_or_belongs_to?(assigned_to)
+ user.logged? && (self.author == user || user.is_or_belongs_to?(assigned_to))
else
false
end
:versions,
:issue_statuses, :issue_categories, :issue_relations, :workflows,
:enumerations,
- :issues,
+ :issues, :journals, :journal_details,
:custom_fields, :custom_fields_projects, :custom_fields_trackers, :custom_values,
:time_entries
assert_visibility_match User.anonymous, issues
end
- def test_visible_scope_for_anonymous_with_own_issues_visibility
- Role.anonymous.update_attribute :issues_visibility, 'own'
- Issue.create!(:project_id => 1, :tracker_id => 1,
- :author_id => User.anonymous.id,
- :subject => 'Issue by anonymous')
-
- issues = Issue.visible(User.anonymous).all
- assert issues.any?
- assert_nil issues.detect {|issue| issue.author != User.anonymous}
- assert_visibility_match User.anonymous, issues
- end
-
def test_visible_scope_for_anonymous_without_view_issues_permissions
# Anonymous user should not see issues without permission
Role.anonymous.remove_permission!(:view_issues)
assert_visibility_match User.anonymous, issues
end
+ def test_anonymous_should_not_see_private_issues_with_issues_visibility_set_to_default
+ assert Role.anonymous.update_attribute(:issues_visibility, 'default')
+ issue = Issue.generate_for_project!(Project.find(1), :author => User.anonymous, :assigned_to => User.anonymous, :is_private => true)
+ assert_nil Issue.where(:id => issue.id).visible(User.anonymous).first
+ assert !issue.visible?(User.anonymous)
+ end
+
+ def test_anonymous_should_not_see_private_issues_with_issues_visibility_set_to_own
+ assert Role.anonymous.update_attribute(:issues_visibility, 'own')
+ issue = Issue.generate_for_project!(Project.find(1), :author => User.anonymous, :assigned_to => User.anonymous, :is_private => true)
+ assert_nil Issue.where(:id => issue.id).visible(User.anonymous).first
+ assert !issue.visible?(User.anonymous)
+ end
+
def test_visible_scope_for_non_member
user = User.find(9)
assert user.projects.empty?
projects / redmine.git / commitdiff