Check view watchers permission when copying issues (#40946).

author Marius Balteanu <marius.balteanu@zitec.com>

Mon, 8 Jul 2024 21:30:36 +0000 (21:30 +0000)

committer Marius Balteanu <marius.balteanu@zitec.com>

Mon, 8 Jul 2024 21:30:36 +0000 (21:30 +0000)
author Marius Balteanu <marius.balteanu@zitec.com>
Mon, 8 Jul 2024 21:30:36 +0000 (21:30 +0000)
committer Marius Balteanu <marius.balteanu@zitec.com>
Mon, 8 Jul 2024 21:30:36 +0000 (21:30 +0000)
diff --git a/app/models/issue.rb b/app/models/issue.rb

index 65dd900279efc498f0f2de0b35dc95a135a81689..369d7c1a6aca79c62e7b222837015b9941e8a2f2 100644 (file)
--- a/app/models/issue.rb
+++ b/app/models/issue.rb
@@ -314,9 +314,9 @@ class Issue < ApplicationRecord
          attachement.copy(:container => self)
        end
      end
+
      unless options[:watchers] == false
-      self.watcher_user_ids =
-        issue.watcher_users.select{|u| u.status == User::STATUS_ACTIVE}.map(&:id)
+      self.watcher_user_ids = issue.visible_watcher_users.select{|u| u.status == User::STATUS_ACTIVE}.map(&:id)
      end
      @copied_from = issue
      @copy_options = options
diff --git a/test/unit/issue_test.rb b/test/unit/issue_test.rb

index b35bf97a45dd804269df19663f60bb43d64f5300..7480fbc55073fcafd5bc8c759f70c017a069f0e5 100644 (file)
--- a/test/unit/issue_test.rb
+++ b/test/unit/issue_test.rb
@@ -1498,6 +1498,8 @@ class IssueTest < ActiveSupport::TestCase
      user2 = User.find(3)
      issue = Issue.find(8)
  
+    User.current = user
+
      Watcher.create!(:user => user, :watchable => issue)
      Watcher.create!(:user => user2, :watchable => issue)
  
@@ -1511,6 +1513,24 @@ class IssueTest < ActiveSupport::TestCase
      assert !issue.watched_by?(user2)
    end
  
+  def test_copy_should_not_copy_watchers_without_permission
+    user = User.find(2)
+    user2 = User.find(3)
+    issue = Issue.find(8)
+
+    Role.find(1).remove_permission! :view_issue_watchers
+    User.current = user
+
+    Watcher.create!(:user => user, :watchable => issue)
+    Watcher.create!(:user => user2, :watchable => issue)
+
+    issue = Issue.new.copy_from(8)
+
+    assert issue.save
+    assert issue.watched_by?(user)
+    assert !issue.watched_by?(user2)
+  end
+
    def test_copy_should_clear_subtasks_target_version_if_locked_or_closed
      version = Version.new(:project => Project.find(1), :name => '2.1')
      version.save!
author	Marius Balteanu <marius.balteanu@zitec.com>
	Mon, 8 Jul 2024 21:30:36 +0000 (21:30 +0000)
committer	Marius Balteanu <marius.balteanu@zitec.com>
	Mon, 8 Jul 2024 21:30:36 +0000 (21:30 +0000)
app/models/issue.rb		patch \| blob \| history
test/unit/issue_test.rb		patch \| blob \| history