From cd75ba33e9eddce1b27e1f872b4271d8a8847ef0 Mon Sep 17 00:00:00 2001
From: Jean-Philippe Lang <jp_lang@yahoo.fr>
Date: Wed, 29 Nov 2017 19:37:20 +0000
Subject: [PATCH] Adds visibility checks on version views (#27676).

Previously not all data on the roadmap and version view where properly
checked against the issue visibility setting. Unprivileged users were
able to see the total number of issues, their estimations and the
open/close status - even if the user was only allowed to see their own issues.

Patch by Gregor Schmidt.

git-svn-id: http://svn.redmine.org/redmine/trunk@17051 e93f8b46-1217-0410-a6f0-8f06a7374b81
---
 app/helpers/versions_helper.rb        |  4 ++--
 app/views/versions/_overview.html.erb | 20 ++++++++++----------
 app/views/versions/show.html.erb      |  4 ++--
 3 files changed, 14 insertions(+), 14 deletions(-)

diff --git a/app/helpers/versions_helper.rb b/app/helpers/versions_helper.rb
index fe1fb8815..9d088a9d9 100644
--- a/app/helpers/versions_helper.rb
+++ b/app/helpers/versions_helper.rb
@@ -57,9 +57,9 @@ module VersionsHelper
     h = Hash.new {|k,v| k[v] = [0, 0]}
     begin
       # Total issue count
-      version.fixed_issues.group(criteria).count.each {|c,s| h[c][0] = s}
+      version.fixed_issues.visible.group(criteria).count.each {|c,s| h[c][0] = s}
       # Open issues count
-      version.fixed_issues.open.group(criteria).count.each {|c,s| h[c][1] = s}
+      version.fixed_issues.visible.open.group(criteria).count.each {|c,s| h[c][1] = s}
     rescue ActiveRecord::RecordNotFound
     # When grouping by an association, Rails throws this exception if there's no result (bug)
     end
diff --git a/app/views/versions/_overview.html.erb b/app/views/versions/_overview.html.erb
index 2effb3180..ec7a18a6f 100644
--- a/app/views/versions/_overview.html.erb
+++ b/app/views/versions/_overview.html.erb
@@ -14,22 +14,22 @@
 </ul>
 <% end %>
 
-<% if version.issues_count > 0 %>
-    <%= progress_bar([version.closed_percent, version.completed_percent],
+<% if version.fixed_issues.visible.count > 0 %>
+    <%= progress_bar([version.fixed_issues.visible.closed_percent, version.fixed_issues.visible.completed_percent],
                      :titles =>
-                       ["%s: %0.0f%%" % [l(:label_closed_issues_plural), version.closed_percent],
-                        "%s: %0.0f%%" % [l(:field_done_ratio), version.completed_percent]],
-                     :legend => ('%0.0f%%' % version.completed_percent)) %>
+                       ["%s: %0.0f%%" % [l(:label_closed_issues_plural), version.fixed_issues.visible.closed_percent],
+                        "%s: %0.0f%%" % [l(:field_done_ratio), version.fixed_issues.visible.completed_percent]],
+                     :legend => ('%0.0f%%' % version.fixed_issues.visible.completed_percent)) %>
     <p class="progress-info">
-      <%= link_to(l(:label_x_issues, :count => version.issues_count),
+      <%= link_to(l(:label_x_issues, :count => version.fixed_issues.visible.count),
                   version_filtered_issues_path(version, :status_id => '*')) %>
       &nbsp;
-      (<%= link_to_if(version.closed_issues_count > 0,
-                      l(:label_x_closed_issues_abbr, :count => version.closed_issues_count),
+      (<%= link_to_if(version.fixed_issues.visible.closed_count > 0,
+                      l(:label_x_closed_issues_abbr, :count => version.fixed_issues.visible.closed_count),
                       version_filtered_issues_path(version, :status_id => 'c')) %>
       &#8212;
-      <%= link_to_if(version.open_issues_count > 0,
-                     l(:label_x_open_issues_abbr, :count => version.open_issues_count),
+      <%= link_to_if(version.fixed_issues.visible.open_count > 0,
+                     l(:label_x_open_issues_abbr, :count => version.fixed_issues.visible.open_count),
                      version_filtered_issues_path(version, :status_id => 'o')) %>)
     </p>
 <% else %>
diff --git a/app/views/versions/show.html.erb b/app/views/versions/show.html.erb
index fc22a9ffb..83953cce0 100644
--- a/app/views/versions/show.html.erb
+++ b/app/views/versions/show.html.erb
@@ -12,12 +12,12 @@
 <%= render(:partial => "wiki/content", :locals => {:content => @version.wiki_page.content}) if @version.wiki_page %>
 
 <div id="version-summary">
-<% if @version.estimated_hours > 0 || User.current.allowed_to?(:view_time_entries, @project) %>
+<% if @version.fixed_issues.visible.estimated_hours > 0 || User.current.allowed_to?(:view_time_entries, @project) %>
 <fieldset class="time-tracking"><legend><%= l(:label_time_tracking) %></legend>
 <table>
 <tr>
     <th><%= l(:field_estimated_hours) %></th>
-    <td class="total-hours"><%= link_to html_hours(l_hours(@version.estimated_hours)),
+    <td class="total-hours"><%= link_to html_hours(l_hours(@version.fixed_issues.visible.estimated_hours)),
                                         project_issues_path(@version.project, :set_filter => 1, :status_id => '*', :fixed_version_id => @version.id, :c => [:tracker, :status, :subject, :estimated_hours], :t => [:estimated_hours]) %></td>
 </tr>
 <% if User.current.allowed_to_view_all_time_entries?(@project) %>
-- 
2.39.5