From d5ca4a3593de4f997c3caa10ed3cd74f95307571 Mon Sep 17 00:00:00 2001
From: Jean-Philippe Lang <jp_lang@yahoo.fr>
Date: Tue, 30 Aug 2016 19:24:03 +0000
Subject: [PATCH] Fixed that restricted custom permissions on for non
 member/anonymous does not work (#23655).

git-svn-id: http://svn.redmine.org/redmine/trunk@15750 e93f8b46-1217-0410-a6f0-8f06a7374b81
---
 app/models/project.rb   |  4 +++-
 test/unit/issue_test.rb | 22 ++++++++++++++++++++++
 2 files changed, 25 insertions(+), 1 deletion(-)

diff --git a/app/models/project.rb b/app/models/project.rb
index d5c826523..b6ca8a095 100644
--- a/app/models/project.rb
+++ b/app/models/project.rb
@@ -197,7 +197,9 @@ class Project < ActiveRecord::Base
         if role.allowed_to?(permission)
           s = "#{Project.table_name}.is_public = #{connection.quoted_true}"
           if user.id
-            s = "(#{s} AND #{Project.table_name}.id NOT IN (SELECT project_id FROM #{Member.table_name} WHERE user_id = #{user.id}))"
+            group = role.anonymous? ? Group.anonymous : Group.non_member
+            principal_ids = [user.id, group.id].compact
+            s = "(#{s} AND #{Project.table_name}.id NOT IN (SELECT project_id FROM #{Member.table_name} WHERE user_id IN (#{principal_ids.join(',')})))"
           end
           statement_by_role[role] = s
         end
diff --git a/test/unit/issue_test.rb b/test/unit/issue_test.rb
index 78a06556e..8c95023e7 100644
--- a/test/unit/issue_test.rb
+++ b/test/unit/issue_test.rb
@@ -319,6 +319,28 @@ class IssueTest < ActiveSupport::TestCase
     assert_equal false, Issue.where(:project_id => 1).first.visible?(user)
   end
 
+  def test_visible_scope_with_custom_non_member_role_having_restricted_permission
+    role = Role.generate!(:permissions => [:view_project])
+    assert Role.non_member.has_permission?(:view_issues)
+    user = User.generate!
+    Member.create!(:principal => Group.non_member, :project_id => 1, :roles => [role])
+
+    issues = Issue.visible(user).to_a
+    assert issues.any?
+    assert_nil issues.detect {|issue| issue.project_id == 1}
+  end
+
+  def test_visible_scope_with_custom_non_member_role_having_extended_permission
+    role = Role.generate!(:permissions => [:view_project, :view_issues])
+    Role.non_member.remove_permission!(:view_issues)
+    user = User.generate!
+    Member.create!(:principal => Group.non_member, :project_id => 1, :roles => [role])
+
+    issues = Issue.visible(user).to_a
+    assert issues.any?
+    assert_not_nil issues.detect {|issue| issue.project_id == 1}
+  end
+
   def test_visible_scope_for_member_with_groups_should_return_assigned_issues
     user = User.find(8)
     assert user.groups.any?
-- 
2.39.5