named_scope :visible, lambda {|*args| { :include => :project,
:conditions => Project.allowed_to_condition(args.first || User.current, :view_issues) } }
+ # Returns true if usr or current user is allowed to view the issue
+ def visible?(usr=nil)
+ (usr || User.current).allowed_to?(:view_issues, self.project)
+ end
+
def after_initialize
if new_record?
# set default values for new records only
<% if @issue.relations.any? %>
<table style="width:100%">
-<% @issue.relations.each do |relation| %>
+<% @issue.relations.select {|r| r.other_issue(@issue).visible? }.each do |relation| %>
<tr>
<td><%= l(relation.label_for(@issue)) %> <%= "(#{lwr(:actionview_datehelper_time_in_words_day, relation.delay)})" if relation.delay && relation.delay != 0 %>
<%= h(relation.other_issue(@issue).project) + ' - ' if Setting.cross_project_issue_relations? %> <%= link_to_issue relation.other_issue(@issue) %></td>
:content => /Notes/ } }
end
+ def test_show_should_not_disclose_relations_to_invisible_issues
+ Setting.cross_project_issue_relations = '1'
+ IssueRelation.create!(:issue_from => Issue.find(1), :issue_to => Issue.find(2), :relation_type => 'relates')
+ # Relation to a private project issue
+ IssueRelation.create!(:issue_from => Issue.find(1), :issue_to => Issue.find(4), :relation_type => 'relates')
+
+ get :show, :id => 1
+ assert_response :success
+
+ assert_tag :div, :attributes => { :id => 'relations' },
+ :descendant => { :tag => 'a', :content => /#2$/ }
+ assert_no_tag :div, :attributes => { :id => 'relations' },
+ :descendant => { :tag => 'a', :content => /#4$/ }
+ end
+
def test_new_routing
assert_routing(
{:method => :get, :path => '/projects/1/issues/new'},