From d4b7634cc6c8f992a2d466c0302eebb7ccbd30a8 Mon Sep 17 00:00:00 2001
From: Go MAEDA <maeda@farend.jp>
Date: Sat, 17 Sep 2022 06:14:27 +0000
Subject: [PATCH] Consider only roles with either add_issues or edit_issues
 permissions for any status transitions (#37635).

Patch by Holger Just.


git-svn-id: https://svn.redmine.org/redmine/trunk@21817 e93f8b46-1217-0410-a6f0-8f06a7374b81
---
 app/models/issue.rb     | 11 +++++++----
 test/unit/issue_test.rb | 22 ++++++++++++++++++++++
 2 files changed, 29 insertions(+), 4 deletions(-)

diff --git a/app/models/issue.rb b/app/models/issue.rb
index 84907a475..0e634bf8b 100644
--- a/app/models/issue.rb
+++ b/app/models/issue.rb
@@ -677,9 +677,7 @@ class Issue < ActiveRecord::Base
   def workflow_rule_by_attribute(user=nil)
     return @workflow_rule_by_attribute if @workflow_rule_by_attribute && user.nil?
 
-    user_real = user || User.current
-    roles = user_real.admin ? Role.all.to_a : user_real.roles_for_project(project)
-    roles = roles.select(&:consider_workflow?)
+    roles = roles_for_workflow(user || User.current)
     return {} if roles.empty?
 
     result = {}
@@ -1066,7 +1064,7 @@ class Issue < ActiveRecord::Base
     statuses = []
     statuses += IssueStatus.new_statuses_allowed(
       initial_status,
-      user.admin ? Role.all.to_a : user.roles_for_project(project),
+      roles_for_workflow(user),
       tracker,
       author == user,
       assignee_transitions_allowed
@@ -2053,4 +2051,9 @@ class Issue < ActiveRecord::Base
       Project
     end
   end
+
+  def roles_for_workflow(user)
+    roles = user.admin ? Role.all.to_a : user.roles_for_project(project)
+    roles.select(&:consider_workflow?)
+  end
 end
diff --git a/test/unit/issue_test.rb b/test/unit/issue_test.rb
index f054cee96..b056ffb18 100644
--- a/test/unit/issue_test.rb
+++ b/test/unit/issue_test.rb
@@ -859,6 +859,28 @@ class IssueTest < ActiveSupport::TestCase
     assert_equal expected_statuses, issue.new_statuses_allowed_to(admin)
   end
 
+  def test_new_statuses_allowed_to_should_only_return_transitions_of_considered_workflows
+    issue = Issue.find(9)
+
+    WorkflowTransition.delete_all
+    WorkflowTransition.create!(:role_id => 1, :tracker_id => 1, :old_status_id => 1, :new_status_id => 2)
+
+    developer = Role.find(2)
+    developer.remove_permission! :edit_issues
+    developer.remove_permission! :add_issues
+    assert !developer.consider_workflow?
+    WorkflowTransition.create!(:role_id => 2, :tracker_id => 1, :old_status_id => 1, :new_status_id => 3)
+
+    # status 3 is not displayed
+    expected_statuses = IssueStatus.where(:id => [1, 2])
+
+    admin = User.find(1)
+    assert_equal expected_statuses, issue.new_statuses_allowed_to(admin)
+
+    author = User.find(8)
+    assert_equal expected_statuses, issue.new_statuses_allowed_to(author)
+  end
+
   def test_new_statuses_allowed_to_should_return_allowed_statuses_when_copying
     Tracker.find(1).generate_transitions! :role_id => 1, :clear => true, 0 => [1, 3]
 
-- 
2.39.5