Unable to download file if custom field is not defined as visible to any users (#26705).

git-svn-id: http://svn.redmine.org/redmine/trunk@17158 e93f8b46-1217-0410-a6f0-8f06a7374b81

app/models/custom_value.rb

@@ -37,12 +37,18 @@ class CustomValue < ActiveRecord::Base
     custom_field.editable?
   end
 
-  def visible?
-    custom_field.visible?
+  def visible?(user=User.current)
+    if custom_field.visible?
+      true
+    elsif customized.respond_to?(:project)
+      custom_field.visible_by?(customized.project, user)
+    else
+      false
+    end
   end
 
   def attachments_visible?(user)
-    visible? && customized && customized.visible?(user)
+    visible?(user) && customized && customized.visible?(user)
   end
 
   def required?

test/functional/attachments_visibility_test.rb

@@ -0,0 +1,58 @@
+# encoding: utf-8
+#
+# Redmine - project management software
+# Copyright (C) 2006-2017  Jean-Philippe Lang
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+
+require File.expand_path('../../test_helper', __FILE__)
+
+class AttachmentsVisibilityTest < Redmine::ControllerTest
+  tests AttachmentsController
+  fixtures :users, :email_addresses, :projects, :roles, :members, :member_roles,
+           :enabled_modules, :projects_trackers, :issue_statuses, :enumerations,
+           :issues, :trackers, :versions
+
+  def setup
+    set_tmp_attachments_directory
+
+    @field = IssueCustomField.generate!(:field_format => 'attachment', :visible => true)
+    @attachment = new_record(Attachment) do
+      issue = Issue.generate
+      issue.custom_field_values = {@field.id => {:file => mock_file}}
+      issue.save!
+    end
+  end
+
+  def test_attachment_should_be_visible
+    @request.session[:user_id] = 2 # manager
+    get :show, :params => {:id => @attachment.id}
+    assert_response :success
+
+    @field.update!(:visible => false, :role_ids => [1])
+    get :show, :params => {:id => @attachment.id}
+    assert_response :success
+  end
+
+  def test_attachment_should_be_visible_with_permission
+    @request.session[:user_id] = 3 # developer
+    get :show, :params => {:id => @attachment.id}
+    assert_response :success
+
+    @field.update!(:visible => false, :role_ids => [1])
+    get :show, :params => {:id => @attachment.id}
+    assert_response 403
+  end
+end

test/unit/lib/redmine/field_format/attachment_format_visibility_test.rb

@@ -0,0 +1,59 @@
+# Redmine - project management software
+# Copyright (C) 2006-2017  Jean-Philippe Lang
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+
+require File.expand_path('../../../../../test_helper', __FILE__)
+require 'redmine/field_format'
+
+class AttachmentFormatVisibilityTest < ActionView::TestCase
+  fixtures :projects, :enabled_modules, :projects_trackers,
+           :roles, :members, :member_roles,
+           :users, :email_addresses,
+           :trackers, :issue_statuses, :enumerations, :issue_categories,
+           :versions, :issues
+
+  def setup
+    set_tmp_attachments_directory
+  end
+
+  def test_attachment_should_be_visible_with_visible_custom_field
+    field = IssueCustomField.generate!(:field_format => 'attachment', :visible => true)
+    attachment = new_record(Attachment) do
+      issue = Issue.generate
+      issue.custom_field_values = {field.id => {:file => mock_file}}
+      issue.save!
+    end
+
+    assert attachment.visible?(manager = User.find(2))
+    assert attachment.visible?(developer = User.find(3))
+    assert attachment.visible?(non_member = User.find(7))
+    assert attachment.visible?(User.anonymous)
+  end
+
+  def test_attachment_should_be_visible_with_limited_visibility_custom_field
+    field = IssueCustomField.generate!(:field_format => 'attachment', :visible => false, :role_ids => [1])
+    attachment = new_record(Attachment) do
+      issue = Issue.generate
+      issue.custom_field_values = {field.id => {:file => mock_file}}
+      issue.save!
+    end
+
+    assert attachment.visible?(manager = User.find(2))
+    assert !attachment.visible?(developer = User.find(3))
+    assert !attachment.visible?(non_member = User.find(7))
+    assert !attachment.visible?(User.anonymous)
+  end
+end