Fixed that 'My page' blocks may display issues that the user is no longer allowed to view (#2590).

git-svn-id: svn+ssh://rubyforge.org/var/svn/redmine/trunk@2322 e93f8b46-1217-0410-a6f0-8f06a7374b81

4 files changed, 9 insertions, 6 deletions

diff --git a/app/models/issue.rb b/app/models/issue.rb
index 11db3f89d..84a3c8e3c 100644
--- a/app/models/issue.rb
+++ b/app/models/issue.rb
@@ -51,6 +51,9 @@ class Issue < ActiveRecord::Base
   validates_inclusion_of :done_ratio, :in => 0..100
   validates_numericality_of :estimated_hours, :allow_nil => true
 
+  named_scope :visible, lambda {|*args| { :include => :project,
+                                          :conditions => Project.allowed_to_condition(args.first || User.current, :view_issues) } }
+  
   def after_initialize
     if new_record?
       # set default values for new records only
diff --git a/app/views/my/blocks/_issuesassignedtome.rhtml b/app/views/my/blocks/_issuesassignedtome.rhtml
index 99812f6d0..f5e2e3e65 100644
--- a/app/views/my/blocks/_issuesassignedtome.rhtml
+++ b/app/views/my/blocks/_issuesassignedtome.rhtml
@@ -1,6 +1,6 @@
 <h3><%=l(:label_assigned_to_me_issues)%></h3>
-<% assigned_issues = Issue.find(:all, 
-                                :conditions => ["assigned_to_id=? AND #{IssueStatus.table_name}.is_closed=? AND #{Project.table_name}.status=#{Project::STATUS_ACTIVE}", user.id, false],
+<% assigned_issues = Issue.visible.find(:all, 
+                                :conditions => ["assigned_to_id=? AND #{IssueStatus.table_name}.is_closed=?", user.id, false],
                                 :limit => 10, 
                                 :include => [ :status, :project, :tracker, :priority ], 
                                 :order => "#{Enumeration.table_name}.position DESC, #{Issue.table_name}.updated_on DESC") %>
diff --git a/app/views/my/blocks/_issuesreportedbyme.rhtml b/app/views/my/blocks/_issuesreportedbyme.rhtml
index 317aebbfc..aa6e0e0eb 100644
--- a/app/views/my/blocks/_issuesreportedbyme.rhtml
+++ b/app/views/my/blocks/_issuesreportedbyme.rhtml
@@ -1,6 +1,6 @@
 <h3><%=l(:label_reported_issues)%></h3>
-<% reported_issues = Issue.find(:all, 
-                                :conditions => ["author_id=? AND #{Project.table_name}.status=#{Project::STATUS_ACTIVE}", user.id],
+<% reported_issues = Issue.visible.find(:all, 
+                                :conditions => { :author_id => user.id },
                                 :limit => 10, 
                                 :include => [ :status, :project, :tracker ], 
                                 :order => "#{Issue.table_name}.updated_on DESC") %>
diff --git a/app/views/my/blocks/_issueswatched.rhtml b/app/views/my/blocks/_issueswatched.rhtml
index e5c2f23ab..dc4bfb85e 100644
--- a/app/views/my/blocks/_issueswatched.rhtml
+++ b/app/views/my/blocks/_issueswatched.rhtml
@@ -1,8 +1,8 @@
 <h3><%=l(:label_watched_issues)%></h3>

-<% watched_issues = Issue.find(:all, 

+<% watched_issues = Issue.visible.find(:all, 

                                :include => [:status, :project, :tracker, :watchers],

                                :limit => 10, 

-                               :conditions => ["#{Watcher.table_name}.user_id = ? AND #{Project.table_name}.status=#{Project::STATUS_ACTIVE}", user.id],

+                               :conditions => ["#{Watcher.table_name}.user_id = ?", user.id],

                                :order => "#{Issue.table_name}.updated_on DESC") %>

 <%= render :partial => 'issues/list_simple', :locals => { :issues => watched_issues } %>

 <% if watched_issues.length > 0 %>