From 391bc8b763c603b81a98292795a756c10ab3ef06 Mon Sep 17 00:00:00 2001
From: Go MAEDA <maeda@farend.jp>
Date: Thu, 12 Jul 2018 21:58:22 +0000
Subject: [PATCH] Only allow the use of visible custom fields in time entry
 reports (#29162).

Patch by Holger Just.


git-svn-id: http://svn.redmine.org/redmine/trunk@17446 e93f8b46-1217-0410-a6f0-8f06a7374b81
---
 lib/redmine/helpers/time_report.rb     |  8 ++++----
 test/functional/timelog_report_test.rb | 12 ++++++++++++
 2 files changed, 16 insertions(+), 4 deletions(-)

diff --git a/lib/redmine/helpers/time_report.rb b/lib/redmine/helpers/time_report.rb
index fb6384cb6..5287ae95e 100644
--- a/lib/redmine/helpers/time_report.rb
+++ b/lib/redmine/helpers/time_report.rb
@@ -129,13 +129,13 @@ module Redmine
                                }
 
         # Add time entry custom fields
-        custom_fields = TimeEntryCustomField.all
+        custom_fields = TimeEntryCustomField.visible
         # Add project custom fields
-        custom_fields += ProjectCustomField.all
+        custom_fields += ProjectCustomField.visible
         # Add issue custom fields
-        custom_fields += (@project.nil? ? IssueCustomField.for_all : @project.all_issue_custom_fields)
+        custom_fields += @project.nil? ? IssueCustomField.visible.for_all : @project.all_issue_custom_fields.visible
         # Add time entry activity custom fields
-        custom_fields += TimeEntryActivityCustomField.all
+        custom_fields += TimeEntryActivityCustomField.visible
 
         # Add list and boolean custom fields as available criteria
         custom_fields.select {|cf| %w(list bool).include?(cf.field_format) && !cf.multiple?}.each do |cf|
diff --git a/test/functional/timelog_report_test.rb b/test/functional/timelog_report_test.rb
index 35ec559fc..252a5909c 100644
--- a/test/functional/timelog_report_test.rb
+++ b/test/functional/timelog_report_test.rb
@@ -135,6 +135,18 @@ class TimelogReportTest < Redmine::ControllerTest
     end
   end
 
+  def test_hidden_custom_fields_should_not_be_proposed
+    TimeEntryCustomField.create!(name: 'shown', field_format: 'list', possible_values: ['value1', 'value2'], visible: true)
+    TimeEntryCustomField.create!(name: 'Hidden', field_format: 'list', possible_values: ['value1', 'value2'], visible: false)
+
+    get :report, :params => {:project_id => 1}
+    assert_response :success
+    assert_select 'select[name=?]', 'criteria[]' do
+      assert_select 'option', :text => 'Shown'
+      assert_select 'option', :text => 'Hidden', :count => 0
+    end
+  end
+
   def test_report_one_day
     get :report, :params => {:project_id => 1, :columns => 'day', :from => "2007-03-23", :to => "2007-03-23", :criteria => ["user", "activity"]}
     assert_response :success
-- 
2.39.5