From: Marius Balteanu <marius.balteanu@zitec.com>
Date: Mon, 8 Jul 2024 21:30:36 +0000 (+0000)
Subject: Check view watchers permission when copying issues (#40946).
X-Git-Tag: 6.0.0~270
X-Git-Url: https://source.dussan.org/?a=commitdiff_plain;h=f9f486bdd091fcfdc351b188981688dccffed210;p=redmine.git

Check view watchers permission when copying issues (#40946).

Patch by Jens Kraemer (@jkraemer).


git-svn-id: https://svn.redmine.org/redmine/trunk@22914 e93f8b46-1217-0410-a6f0-8f06a7374b81
---

diff --git a/app/models/issue.rb b/app/models/issue.rb
index 65dd90027..369d7c1a6 100644
--- a/app/models/issue.rb
+++ b/app/models/issue.rb
@@ -314,9 +314,9 @@ class Issue < ApplicationRecord
         attachement.copy(:container => self)
       end
     end
+
     unless options[:watchers] == false
-      self.watcher_user_ids =
-        issue.watcher_users.select{|u| u.status == User::STATUS_ACTIVE}.map(&:id)
+      self.watcher_user_ids = issue.visible_watcher_users.select{|u| u.status == User::STATUS_ACTIVE}.map(&:id)
     end
     @copied_from = issue
     @copy_options = options
diff --git a/test/unit/issue_test.rb b/test/unit/issue_test.rb
index b35bf97a4..7480fbc55 100644
--- a/test/unit/issue_test.rb
+++ b/test/unit/issue_test.rb
@@ -1498,6 +1498,8 @@ class IssueTest < ActiveSupport::TestCase
     user2 = User.find(3)
     issue = Issue.find(8)
 
+    User.current = user
+
     Watcher.create!(:user => user, :watchable => issue)
     Watcher.create!(:user => user2, :watchable => issue)
 
@@ -1511,6 +1513,24 @@ class IssueTest < ActiveSupport::TestCase
     assert !issue.watched_by?(user2)
   end
 
+  def test_copy_should_not_copy_watchers_without_permission
+    user = User.find(2)
+    user2 = User.find(3)
+    issue = Issue.find(8)
+
+    Role.find(1).remove_permission! :view_issue_watchers
+    User.current = user
+
+    Watcher.create!(:user => user, :watchable => issue)
+    Watcher.create!(:user => user2, :watchable => issue)
+
+    issue = Issue.new.copy_from(8)
+
+    assert issue.save
+    assert issue.watched_by?(user)
+    assert !issue.watched_by?(user2)
+  end
+
   def test_copy_should_clear_subtasks_target_version_if_locked_or_closed
     version = Version.new(:project => Project.find(1), :name => '2.1')
     version.save!