From e1928aaf1944559ce3fd5594fe0988d42719c689 Mon Sep 17 00:00:00 2001
From: Go MAEDA <maeda@farend.jp>
Date: Mon, 31 Oct 2022 09:04:46 +0000
Subject: [PATCH] Read-only field permission for the project field is ignored
 if the current project has subprojects (#37685).

Patch by salman mp.


git-svn-id: https://svn.redmine.org/redmine/trunk@21937 e93f8b46-1217-0410-a6f0-8f06a7374b81
---
 app/helpers/issues_helper.rb              | 16 +++++++++++-----
 test/functional/issues_controller_test.rb | 20 ++++++++++++++++++++
 2 files changed, 31 insertions(+), 5 deletions(-)

diff --git a/app/helpers/issues_helper.rb b/app/helpers/issues_helper.rb
index de4ca4435..dfe577650 100644
--- a/app/helpers/issues_helper.rb
+++ b/app/helpers/issues_helper.rb
@@ -764,12 +764,18 @@ module IssuesHelper
   end
 
   def projects_for_select(issue)
-    if issue.parent_issue_id.present?
-      issue.allowed_target_projects_for_subtask(User.current)
-    elsif @project && issue.new_record? && !issue.copy?
-      issue.allowed_target_projects(User.current, 'tree')
+    projects =
+      if issue.parent_issue_id.present?
+        issue.allowed_target_projects_for_subtask(User.current)
+      elsif @project && issue.new_record? && !issue.copy?
+        issue.allowed_target_projects(User.current, 'tree')
+      else
+        issue.allowed_target_projects(User.current)
+      end
+    if issue.read_only_attribute_names(User.current).include?('project_id')
+      params['project_id'].present? ? Project.where(identifier: params['project_id']) : projects
     else
-      issue.allowed_target_projects(User.current)
+      projects
     end
   end
 end
diff --git a/test/functional/issues_controller_test.rb b/test/functional/issues_controller_test.rb
index e47462b21..a10abbd12 100644
--- a/test/functional/issues_controller_test.rb
+++ b/test/functional/issues_controller_test.rb
@@ -5665,6 +5665,26 @@ class IssuesControllerTest < Redmine::ControllerTest
     assert_select 'select[name=?]', 'issue[project_id]', 0
   end
 
+  def test_new_should_hide_project_if_user_is_not_allowed_to_change_project_in_hierarchy_projects
+    WorkflowPermission.create!(:role_id => 1, :tracker_id => 1, :old_status_id => 1,
+                               :field_name => 'project_id', :rule => 'readonly')
+
+    @request.session[:user_id] = 2
+    get(:new, :params => { :tracker_id => 1, :project_id => 1 })
+    assert_response :success
+    assert_select 'select[name=?]', 'issue[project_id]', 0
+  end
+
+  def test_new_should_show_project_if_user_is_not_allowed_to_change_project_global_new_issue
+    WorkflowPermission.create!(:role_id => 1, :tracker_id => 1, :old_status_id => 1,
+                               :field_name => 'project_id', :rule => 'readonly')
+
+    @request.session[:user_id] = 2
+    get(:new, :params => { :tracker_id => 1})
+    assert_response :success
+    assert_select 'select[name=?]', 'issue[project_id]'
+  end
+
   def test_edit_should_not_hide_project_when_user_changes_the_project_even_if_project_is_readonly_on_target_project
     WorkflowPermission.create!(:role_id => 1, :tracker_id => 1, :old_status_id => 1,
                                :field_name => 'project_id', :rule => 'readonly')
-- 
2.39.5