Adds visibility checks on version views (#27676).

Previously not all data on the roadmap and version view where properly
checked against the issue visibility setting. Unprivileged users were
able to see the total number of issues, their estimations and the
open/close status - even if the user was only allowed to see their own issues.

Patch by Gregor Schmidt.

git-svn-id: http://svn.redmine.org/redmine/trunk@17051 e93f8b46-1217-0410-a6f0-8f06a7374b81

diff --git a/app/helpers/versions_helper.rb b/app/helpers/versions_helper.rb
index fe1fb88156f6099998790748a6b599a6b845bae4..9d088a9d9087fdc1926bf91c8f2cb622967bb962 100644 (file)
--- a/app/helpers/versions_helper.rb
+++ b/app/helpers/versions_helper.rb
@@ -57,9 +57,9 @@ module VersionsHelper
     h = Hash.new {|k,v| k[v] = [0, 0]}
     begin
       # Total issue count
-      version.fixed_issues.group(criteria).count.each {|c,s| h[c][0] = s}
+      version.fixed_issues.visible.group(criteria).count.each {|c,s| h[c][0] = s}
       # Open issues count
-      version.fixed_issues.open.group(criteria).count.each {|c,s| h[c][1] = s}
+      version.fixed_issues.visible.open.group(criteria).count.each {|c,s| h[c][1] = s}
     rescue ActiveRecord::RecordNotFound
     # When grouping by an association, Rails throws this exception if there's no result (bug)
     end

diff --git a/app/views/versions/_overview.html.erb b/app/views/versions/_overview.html.erb
index 2effb3180c9ebb31aee9e19f17293764ee015610..ec7a18a6fdc9198fd44d4670cf8360428217a1d0 100644 (file)
--- a/app/views/versions/_overview.html.erb
+++ b/app/views/versions/_overview.html.erb
@@ -14,22 +14,22 @@
 </ul>
 <% end %>
 
-<% if version.issues_count > 0 %>
-    <%= progress_bar([version.closed_percent, version.completed_percent],
+<% if version.fixed_issues.visible.count > 0 %>
+    <%= progress_bar([version.fixed_issues.visible.closed_percent, version.fixed_issues.visible.completed_percent],
                      :titles =>
-                       ["%s: %0.0f%%" % [l(:label_closed_issues_plural), version.closed_percent],
-                        "%s: %0.0f%%" % [l(:field_done_ratio), version.completed_percent]],
-                     :legend => ('%0.0f%%' % version.completed_percent)) %>
+                       ["%s: %0.0f%%" % [l(:label_closed_issues_plural), version.fixed_issues.visible.closed_percent],
+                        "%s: %0.0f%%" % [l(:field_done_ratio), version.fixed_issues.visible.completed_percent]],
+                     :legend => ('%0.0f%%' % version.fixed_issues.visible.completed_percent)) %>
     <p class="progress-info">
-      <%= link_to(l(:label_x_issues, :count => version.issues_count),
+      <%= link_to(l(:label_x_issues, :count => version.fixed_issues.visible.count),
                   version_filtered_issues_path(version, :status_id => '*')) %>
       &nbsp;
-      (<%= link_to_if(version.closed_issues_count > 0,
-                      l(:label_x_closed_issues_abbr, :count => version.closed_issues_count),
+      (<%= link_to_if(version.fixed_issues.visible.closed_count > 0,
+                      l(:label_x_closed_issues_abbr, :count => version.fixed_issues.visible.closed_count),
                       version_filtered_issues_path(version, :status_id => 'c')) %>
       &#8212;
-      <%= link_to_if(version.open_issues_count > 0,
-                     l(:label_x_open_issues_abbr, :count => version.open_issues_count),
+      <%= link_to_if(version.fixed_issues.visible.open_count > 0,
+                     l(:label_x_open_issues_abbr, :count => version.fixed_issues.visible.open_count),
                      version_filtered_issues_path(version, :status_id => 'o')) %>)
     </p>
 <% else %>

diff --git a/app/views/versions/show.html.erb b/app/views/versions/show.html.erb
index fc22a9ffb2774738b7a40e2f35c3ddad7fbc2298..83953cce0c8926d77374557b32567114d88a021e 100644 (file)
--- a/app/views/versions/show.html.erb
+++ b/app/views/versions/show.html.erb
@@ -12,12 +12,12 @@
 <%= render(:partial => "wiki/content", :locals => {:content => @version.wiki_page.content}) if @version.wiki_page %>
 
 <div id="version-summary">
-<% if @version.estimated_hours > 0 || User.current.allowed_to?(:view_time_entries, @project) %>
+<% if @version.fixed_issues.visible.estimated_hours > 0 || User.current.allowed_to?(:view_time_entries, @project) %>
 <fieldset class="time-tracking"><legend><%= l(:label_time_tracking) %></legend>
 <table>
 <tr>
     <th><%= l(:field_estimated_hours) %></th>
-    <td class="total-hours"><%= link_to html_hours(l_hours(@version.estimated_hours)),
+    <td class="total-hours"><%= link_to html_hours(l_hours(@version.fixed_issues.visible.estimated_hours)),
                                         project_issues_path(@version.project, :set_filter => 1, :status_id => '*', :fixed_version_id => @version.id, :c => [:tracker, :status, :subject, :estimated_hours], :t => [:estimated_hours]) %></td>
 </tr>
 <% if User.current.allowed_to_view_all_time_entries?(@project) %>