From 59d8ae61ef731351ca54a19bd9868b0b1e862c66 Mon Sep 17 00:00:00 2001 From: Jean-Philippe Lang Date: Wed, 19 Sep 2012 21:48:33 +0000 Subject: [PATCH] Anonymous users should not see private issues with anonymous author (#11872). git-svn-id: svn+ssh://rubyforge.org/var/svn/redmine/trunk@10433 e93f8b46-1217-0410-a6f0-8f06a7374b81 --- app/models/issue.rb | 20 ++++++++++++++------ test/unit/issue_test.rb | 28 +++++++++++++++------------- 2 files changed, 29 insertions(+), 19 deletions(-) diff --git a/app/models/issue.rb b/app/models/issue.rb index 6e7f9a52c..5b1cfadb8 100644 --- a/app/models/issue.rb +++ b/app/models/issue.rb @@ -88,11 +88,19 @@ class Issue < ActiveRecord::Base when 'all' nil when 'default' - user_ids = [user.id] + user.groups.map(&:id) - "(#{table_name}.is_private = #{connection.quoted_false} OR #{table_name}.author_id = #{user.id} OR #{table_name}.assigned_to_id IN (#{user_ids.join(',')}))" + if user.logged? + user_ids = [user.id] + user.groups.map(&:id) + "(#{table_name}.is_private = #{connection.quoted_false} OR #{table_name}.author_id = #{user.id} OR #{table_name}.assigned_to_id IN (#{user_ids.join(',')}))" + else + "(#{table_name}.is_private = #{connection.quoted_false})" + end when 'own' - user_ids = [user.id] + user.groups.map(&:id) - "(#{table_name}.author_id = #{user.id} OR #{table_name}.assigned_to_id IN (#{user_ids.join(',')}))" + if user.logged? + user_ids = [user.id] + user.groups.map(&:id) + "(#{table_name}.author_id = #{user.id} OR #{table_name}.assigned_to_id IN (#{user_ids.join(',')}))" + else + '1=0' + end else '1=0' end @@ -106,9 +114,9 @@ class Issue < ActiveRecord::Base when 'all' true when 'default' - !self.is_private? || self.author == user || user.is_or_belongs_to?(assigned_to) + !self.is_private? || (user.logged? && (self.author == user || user.is_or_belongs_to?(assigned_to))) when 'own' - self.author == user || user.is_or_belongs_to?(assigned_to) + user.logged? && (self.author == user || user.is_or_belongs_to?(assigned_to)) else false end diff --git a/test/unit/issue_test.rb b/test/unit/issue_test.rb index 05224701d..fc08313bc 100644 --- a/test/unit/issue_test.rb +++ b/test/unit/issue_test.rb @@ -25,7 +25,7 @@ class IssueTest < ActiveSupport::TestCase :versions, :issue_statuses, :issue_categories, :issue_relations, :workflows, :enumerations, - :issues, + :issues, :journals, :journal_details, :custom_fields, :custom_fields_projects, :custom_fields_trackers, :custom_values, :time_entries @@ -105,18 +105,6 @@ class IssueTest < ActiveSupport::TestCase assert_visibility_match User.anonymous, issues end - def test_visible_scope_for_anonymous_with_own_issues_visibility - Role.anonymous.update_attribute :issues_visibility, 'own' - Issue.create!(:project_id => 1, :tracker_id => 1, - :author_id => User.anonymous.id, - :subject => 'Issue by anonymous') - - issues = Issue.visible(User.anonymous).all - assert issues.any? - assert_nil issues.detect {|issue| issue.author != User.anonymous} - assert_visibility_match User.anonymous, issues - end - def test_visible_scope_for_anonymous_without_view_issues_permissions # Anonymous user should not see issues without permission Role.anonymous.remove_permission!(:view_issues) @@ -125,6 +113,20 @@ class IssueTest < ActiveSupport::TestCase assert_visibility_match User.anonymous, issues end + def test_anonymous_should_not_see_private_issues_with_issues_visibility_set_to_default + assert Role.anonymous.update_attribute(:issues_visibility, 'default') + issue = Issue.generate_for_project!(Project.find(1), :author => User.anonymous, :assigned_to => User.anonymous, :is_private => true) + assert_nil Issue.where(:id => issue.id).visible(User.anonymous).first + assert !issue.visible?(User.anonymous) + end + + def test_anonymous_should_not_see_private_issues_with_issues_visibility_set_to_own + assert Role.anonymous.update_attribute(:issues_visibility, 'own') + issue = Issue.generate_for_project!(Project.find(1), :author => User.anonymous, :assigned_to => User.anonymous, :is_private => true) + assert_nil Issue.where(:id => issue.id).visible(User.anonymous).first + assert !issue.visible?(User.anonymous) + end + def test_visible_scope_for_non_member user = User.find(9) assert user.projects.empty? -- 2.39.5