Fixed that members without view issues permission are able to list issues on public projects if the non member role has the permission (#20206).

git-svn-id: http://svn.redmine.org/redmine/trunk@14450 e93f8b46-1217-0410-a6f0-8f06a7374b81
author: Jean-Philippe Lang <jp_lang@yahoo.fr> 2015-07-25 06:44:01 +0000
committer: Jean-Philippe Lang <jp_lang@yahoo.fr> 2015-07-25 06:44:01 +0000
commit: 1def32c4dda9eb78ac6537d5270d5df83c7e98ba (patch)
tree: cfbd1acc69bc9a2e89d763e28cca2791a1bfaab8 /app/models/project.rb
parent: f1072337b9bcf5dae542780784e037b39ca52468 (diff)
download: redmine-1def32c4dda9eb78ac6537d5270d5df83c7e98ba.tar.gz
redmine-1def32c4dda9eb78ac6537d5270d5df83c7e98ba.zip
1 files changed, 5 insertions, 1 deletions
diff --git a/app/models/project.rb b/app/models/project.rb
index 7c4ac3516..4a54b2210 100644
--- a/app/models/project.rb
+++ b/app/models/project.rb
@@ -188,7 +188,11 @@ class Project < ActiveRecord::Base
       unless options[:member]
         role = user.builtin_role
         if role.allowed_to?(permission)
-          statement_by_role[role] = "#{Project.table_name}.is_public = #{connection.quoted_true}"
+          s = "#{Project.table_name}.is_public = #{connection.quoted_true}"
+          if user.id
+            s = "(#{s} AND #{Project.table_name}.id NOT IN (SELECT project_id FROM #{Member.table_name} WHERE user_id = #{user.id}))"
+          end
+          statement_by_role[role] = s
         end
       end
       user.projects_by_role.each do |role, projects|
author	Jean-Philippe Lang <jp_lang@yahoo.fr>	2015-07-25 06:44:01 +0000
committer	Jean-Philippe Lang <jp_lang@yahoo.fr>	2015-07-25 06:44:01 +0000
commit	1def32c4dda9eb78ac6537d5270d5df83c7e98ba (patch)
tree	cfbd1acc69bc9a2e89d763e28cca2791a1bfaab8 /app/models/project.rb
parent	f1072337b9bcf5dae542780784e037b39ca52468 (diff)
download	redmine-1def32c4dda9eb78ac6537d5270d5df83c7e98ba.tar.gz redmine-1def32c4dda9eb78ac6537d5270d5df83c7e98ba.zip