Fixed that members without view issues permission are able to list issues on public projects if the non member role has the permission (#20206).

git-svn-id: http://svn.redmine.org/redmine/trunk@14450 e93f8b46-1217-0410-a6f0-8f06a7374b81

app/models/project.rb

@@ -188,7 +188,11 @@ class Project < ActiveRecord::Base
       unless options[:member]
         role = user.builtin_role
         if role.allowed_to?(permission)
-          statement_by_role[role] = "#{Project.table_name}.is_public = #{connection.quoted_true}"
+          s = "#{Project.table_name}.is_public = #{connection.quoted_true}"
+          if user.id
+            s = "(#{s} AND #{Project.table_name}.id NOT IN (SELECT project_id FROM #{Member.table_name} WHERE user_id = #{user.id}))"
+          end
+          statement_by_role[role] = s
         end
       end
       user.projects_by_role.each do |role, projects|

test/unit/issue_test.rb

@@ -310,6 +310,15 @@ class IssueTest < ActiveSupport::TestCase
     assert_visibility_match user, issues
   end
 
+  def test_visible_scope_for_member_without_view_issues_permission_and_non_member_role_having_the_permission
+    Role.non_member.add_permission!(:view_issues)
+    Role.find(1).remove_permission!(:view_issues)
+    user = User.find(2)
+
+    assert_equal 0, Issue.where(:project_id => 1).visible(user).count
+    assert_equal false, Issue.where(:project_id => 1).first.visible?(user)
+  end
+
   def test_visible_scope_for_member_with_groups_should_return_assigned_issues
     user = User.find(8)
     assert user.groups.any?