From 923deb7fa08aa5d1a42da1de7d826cef07a798c9 Mon Sep 17 00:00:00 2001
From: Go MAEDA <maeda@farend.jp>
Date: Sat, 15 Aug 2020 07:28:20 +0000
Subject: [PATCH] Merged r19975 from trunk to 4.1-stable (#33689).

git-svn-id: http://svn.redmine.org/redmine/branches/4.1-stable@19978 e93f8b46-1217-0410-a6f0-8f06a7374b81
---
 app/models/issue.rb                       |  1 -
 test/functional/issues_controller_test.rb | 18 ++++++++++++++++++
 test/unit/issue_test.rb                   | 17 +++++++++++++++++
 3 files changed, 35 insertions(+), 1 deletion(-)

diff --git a/app/models/issue.rb b/app/models/issue.rb
index b52225137..690af5135 100644
--- a/app/models/issue.rb
+++ b/app/models/issue.rb
@@ -471,7 +471,6 @@ class Issue < ActiveRecord::Base
     'custom_field_values',
     'custom_fields',
     'lock_version',
-    'notes',
     :if => lambda {|issue, user| issue.new_record? || issue.attributes_editable?(user)})
   safe_attributes(
     'notes',
diff --git a/test/functional/issues_controller_test.rb b/test/functional/issues_controller_test.rb
index c6adfbc10..9222d8280 100644
--- a/test/functional/issues_controller_test.rb
+++ b/test/functional/issues_controller_test.rb
@@ -5238,6 +5238,24 @@ class IssuesControllerTest < Redmine::ControllerTest
     assert_equal spent_hours_before + 2.5, issue.spent_hours
   end
 
+  def test_put_update_should_check_add_issue_notes_permission
+    role = Role.find(1)
+    role.remove_permission! :add_issue_notes
+    @request.session[:user_id] = 2
+
+    assert_no_difference 'Journal.count' do
+      put(
+        :update,
+        :params => {
+          :id => 1,
+          :issue => {
+            :notes => 'New note'
+          }
+        }
+      )
+    end
+  end
+
   def test_put_update_should_preserve_parent_issue_even_if_not_visible
     parent = Issue.generate!(:project_id => 1, :is_private => true)
     issue = Issue.generate!(:parent_issue_id => parent.id)
diff --git a/test/unit/issue_test.rb b/test/unit/issue_test.rb
index caeb2f324..1c49d0462 100644
--- a/test/unit/issue_test.rb
+++ b/test/unit/issue_test.rb
@@ -898,6 +898,23 @@ class IssueTest < ActiveSupport::TestCase
     assert_equal Date.parse('2012-07-14'), issue.due_date
   end
 
+  def test_safe_attributes_notes_should_check_add_issue_notes_permission
+    # With add_issue_notes permission
+    user = User.find(2)
+    issue = Issue.new(:project => Project.find(1))
+    issue.init_journal(user)
+    issue.send :safe_attributes=, {'notes' => 'note'}, user
+    assert_equal 'note', issue.notes
+
+    # Without add_issue_notes permission
+    Role.find(1).remove_permission!(:add_issue_notes)
+    issue = Issue.new(:project => Project.find(1))
+    user.reload
+    issue.init_journal(user)
+    issue.send :safe_attributes=, {'notes' => 'note'}, user
+    assert_equal '', issue.notes
+  end
+
   def test_safe_attributes_should_accept_target_tracker_enabled_fields
     source = Tracker.find(1)
     source.core_fields = []
-- 
2.39.5