Do not propose watchers that are not allowed to see the object (#33329).

Patch by Marius BALTEANU.


git-svn-id: http://svn.redmine.org/redmine/trunk@20724 e93f8b46-1217-0410-a6f0-8f06a7374b81

2 files changed, 20 insertions, 1 deletions

diff --git a/app/controllers/watchers_controller.rb b/app/controllers/watchers_controller.rb
index f4e8f2287..86533c481 100644
--- a/app/controllers/watchers_controller.rb
+++ b/app/controllers/watchers_controller.rb
@@ -141,7 +141,12 @@ class WatchersController < ApplicationController
     end
     users = scope.sorted.like(params[:q]).to_a
     if @watchables && @watchables.size == 1
-      users -= @watchables.first.watcher_users
+      watchable_object = @watchables.first
+      users -= watchable_object.watcher_users
+
+      if watchable_object.respond_to?(:visible?)
+        users.reject! {|user| user.is_a?(User) && !watchable_object.visible?(user)}
+      end
     end
     users
   end
diff --git a/test/functional/watchers_controller_test.rb b/test/functional/watchers_controller_test.rb
index 4ab9c8243..4e93ce606 100644
--- a/test/functional/watchers_controller_test.rb
+++ b/test/functional/watchers_controller_test.rb
@@ -335,6 +335,20 @@ class WatchersControllerTest < Redmine::ControllerTest
     assert_not_include hidden.name, response.body
   end
 
+  def test_autocomplete_for_user_should_not_return_users_without_object_visibility
+    @request.session[:user_id] = 1
+    get :autocomplete_for_user, :params => {
+      q: 'rober',
+      project_id: 'onlinestore',
+      object_id: '4',
+      object_type: 'issue'
+    }, :xhr => true
+
+    assert_response :success
+
+    assert response.body.blank?
+  end
+
   def test_append
     @request.session[:user_id] = 2
     assert_no_difference 'Watcher.count' do