From 0f4228d4e6dca2b23409b8a67632c473e0426555 Mon Sep 17 00:00:00 2001 From: Go MAEDA Date: Sun, 24 Jan 2021 05:31:18 +0000 Subject: [PATCH] Do not propose watchers that are not allowed to see the object (#33329). Patch by Marius BALTEANU. git-svn-id: http://svn.redmine.org/redmine/trunk@20724 e93f8b46-1217-0410-a6f0-8f06a7374b81 --- app/controllers/watchers_controller.rb | 7 ++++++- test/functional/watchers_controller_test.rb | 14 ++++++++++++++ 2 files changed, 20 insertions(+), 1 deletion(-) diff --git a/app/controllers/watchers_controller.rb b/app/controllers/watchers_controller.rb index f4e8f2287..86533c481 100644 --- a/app/controllers/watchers_controller.rb +++ b/app/controllers/watchers_controller.rb @@ -141,7 +141,12 @@ class WatchersController < ApplicationController end users = scope.sorted.like(params[:q]).to_a if @watchables && @watchables.size == 1 - users -= @watchables.first.watcher_users + watchable_object = @watchables.first + users -= watchable_object.watcher_users + + if watchable_object.respond_to?(:visible?) + users.reject! {|user| user.is_a?(User) && !watchable_object.visible?(user)} + end end users end diff --git a/test/functional/watchers_controller_test.rb b/test/functional/watchers_controller_test.rb index 4ab9c8243..4e93ce606 100644 --- a/test/functional/watchers_controller_test.rb +++ b/test/functional/watchers_controller_test.rb @@ -335,6 +335,20 @@ class WatchersControllerTest < Redmine::ControllerTest assert_not_include hidden.name, response.body end + def test_autocomplete_for_user_should_not_return_users_without_object_visibility + @request.session[:user_id] = 1 + get :autocomplete_for_user, :params => { + q: 'rober', + project_id: 'onlinestore', + object_id: '4', + object_type: 'issue' + }, :xhr => true + + assert_response :success + + assert response.body.blank? + end + def test_append @request.session[:user_id] = 2 assert_no_difference 'Watcher.count' do -- 2.39.5