From ce831ae5e4acfd6c1d36809aedeb54d23f264288 Mon Sep 17 00:00:00 2001
From: Go MAEDA <maeda@farend.jp>
Date: Tue, 27 Aug 2019 10:20:09 +0000
Subject: [PATCH] Reject project custom field values not visible for the user
 (#31954, #31925).

Patch by Marius BALTEANU.


git-svn-id: http://svn.redmine.org/redmine/trunk@18401 e93f8b46-1217-0410-a6f0-8f06a7374b81
---
 app/models/project.rb     | 17 +++++++++++++++++
 test/unit/project_test.rb | 24 ++++++++++++++++++++++++
 2 files changed, 41 insertions(+)

diff --git a/app/models/project.rb b/app/models/project.rb
index 1e925751a..b04cec68c 100644
--- a/app/models/project.rb
+++ b/app/models/project.rb
@@ -787,6 +787,18 @@ class Project < ActiveRecord::Base
       end
     end
 
+    # Reject custom fields values not visible by the user
+    if attrs['custom_field_values'].present?
+      editable_custom_field_ids = editable_custom_field_values(user).map {|v| v.custom_field_id.to_s}
+      attrs['custom_field_values'].reject! {|k, v| !editable_custom_field_ids.include?(k.to_s)}
+    end
+
+    # Reject custom fields not visible by the user
+    if attrs['custom_fields'].present?
+      editable_custom_field_ids = editable_custom_field_values(user).map {|v| v.custom_field_id.to_s}
+      attrs['custom_fields'].reject! {|c| !editable_custom_field_ids.include?(c['id'].to_s)}
+    end
+
     super(attrs, user)
   end
 
@@ -864,6 +876,11 @@ class Project < ActiveRecord::Base
     end
   end
 
+  # Returns the custom_field_values that can be edited by the given user
+  def editable_custom_field_values(user=nil)
+    visible_custom_field_values(user)
+  end
+
   def visible_custom_field_values(user = nil)
     user ||= User.current
     custom_field_values.select do |value|
diff --git a/test/unit/project_test.rb b/test/unit/project_test.rb
index 7922b6e9a..1a8e3e67b 100644
--- a/test/unit/project_test.rb
+++ b/test/unit/project_test.rb
@@ -1043,4 +1043,28 @@ class ProjectTest < ActiveSupport::TestCase
       Project.distinct.visible.to_a
     end
   end
+
+  def test_safe_attributes_should_include_only_custom_fields_visible_to_user
+    cf1 = ProjectCustomField.create!(:name => 'Visible field',
+                                   :field_format => 'string',
+                                   :visible => false, :role_ids => [1])
+    cf2 = ProjectCustomField.create!(:name => 'Non visible field',
+                                   :field_format => 'string',
+                                   :visible => false, :role_ids => [3])
+    user = User.find(2)
+    project = Project.find(1)
+
+    project.send :safe_attributes=, {'custom_field_values' => {
+                                       cf1.id.to_s => 'value1', cf2.id.to_s => 'value2'
+                                     }}, user
+    assert_equal 'value1', project.custom_field_value(cf1)
+    assert_nil project.custom_field_value(cf2)
+
+    project.send :safe_attributes=, {'custom_fields' => [
+                                      {'id' => cf1.id.to_s, 'value' => 'valuea'},
+                                      {'id' => cf2.id.to_s, 'value' => 'valueb'}
+                                    ]}, user
+    assert_equal 'valuea', project.custom_field_value(cf1)
+    assert_nil project.custom_field_value(cf2)
+  end
 end
-- 
2.39.5