Private issues (#7414).

git-svn-id: svn+ssh://rubyforge.org/var/svn/redmine/trunk@5466 e93f8b46-1217-0410-a6f0-8f06a7374b81

6 files changed, 100 insertions, 3 deletions

diff --git a/test/fixtures/attachments.yml b/test/fixtures/attachments.yml
index bd4a86ac6..438e21254 100644
--- a/test/fixtures/attachments.yml
+++ b/test/fixtures/attachments.yml
@@ -169,3 +169,16 @@ attachments_014:
   filename: changeset_utf8.diff
   author_id: 2
   content_type: text/x-diff
+attachments_015: 
+  id: 15
+  created_on: 2010-07-19 21:07:27 +02:00
+  container_type: Issue
+  container_id: 14
+  downloads: 0
+  disk_filename: 060719210727_changeset_utf8.diff
+  digest: b91e08d0cf966d5c6ff411bd8c4cc3a2
+  filesize: 687
+  filename: private.diff
+  author_id: 2
+  content_type: text/x-diff
+  description: attachement of a private issue
diff --git a/test/fixtures/issues.yml b/test/fixtures/issues.yml
index e13817780..b001b4835 100644
--- a/test/fixtures/issues.yml
+++ b/test/fixtures/issues.yml
@@ -244,3 +244,21 @@ issues_013:
   root_id: 13
   lft: 1
   rgt: 2
+issues_014:
+  id: 14
+  created_on: <%= 15.days.ago.to_date.to_s(:db) %>
+  project_id: 3
+  updated_on: <%= 15.days.ago.to_date.to_s(:db) %>
+  priority_id: 5
+  subject: Private issue on public project
+  fixed_version_id: 
+  category_id: 
+  description: This is a private issue
+  tracker_id: 1
+  assigned_to_id: 
+  author_id: 2
+  status_id: 1
+  is_private: true
+  root_id: 14
+  lft: 1
+  rgt: 2
diff --git a/test/fixtures/roles.yml b/test/fixtures/roles.yml
index 7491f2f07..903df8cb1 100644
--- a/test/fixtures/roles.yml
+++ b/test/fixtures/roles.yml
@@ -3,7 +3,7 @@ roles_001:
   name: Manager
   id: 1
   builtin: 0
-  issues_visibility: default
+  issues_visibility: all
   permissions: |
     --- 
     - :add_project
diff --git a/test/functional/attachments_controller_test.rb b/test/functional/attachments_controller_test.rb
index f7293ff9c..8354ba54f 100644
--- a/test/functional/attachments_controller_test.rb
+++ b/test/functional/attachments_controller_test.rb
@@ -86,6 +86,18 @@ class AttachmentsControllerTest < ActionController::TestCase
     assert_equal 'application/octet-stream', @response.content_type
   end
   
+  def test_show_file_from_private_issue_without_permission
+    get :show, :id => 15
+    assert_redirected_to '/login?back_url=http%3A%2F%2Ftest.host%2Fattachments%2F15'
+  end
+  
+  def test_show_file_from_private_issue_with_permission
+    @request.session[:user_id] = 2
+    get :show, :id => 15
+    assert_response :success
+    assert_tag 'h2', :content => /private.diff/
+  end
+  
   def test_download_text_file
     get :download, :id => 4
     assert_response :success
diff --git a/test/functional/issues_controller_test.rb b/test/functional/issues_controller_test.rb
index 31132eba0..e9a916343 100644
--- a/test/functional/issues_controller_test.rb
+++ b/test/functional/issues_controller_test.rb
@@ -91,6 +91,13 @@ class IssuesControllerTest < ActionController::TestCase
     assert_no_tag :tag => 'a', :content => /Can't print recipes/
     assert_tag :tag => 'a', :content => /Subproject issue/
   end
+
+  def test_index_should_list_visible_issues_only
+    get :index, :per_page => 100
+    assert_response :success
+    assert_not_nil assigns(:issues)
+    assert_nil assigns(:issues).detect {|issue| !issue.visible?}
+  end
   
   def test_index_with_project
     Setting.display_subprojects_issues = 0
@@ -317,6 +324,12 @@ class IssuesControllerTest < ActionController::TestCase
     assert_response :redirect
   end
   
+  def test_show_should_deny_anonymous_access_to_private_issue
+    Issue.update_all(["is_private = ?", true], "id = 1")
+    get :show, :id => 1
+    assert_response :redirect
+  end
+  
   def test_show_should_deny_non_member_access_without_permission
     Role.non_member.remove_permission!(:view_issues)
     @request.session[:user_id] = 9
@@ -324,6 +337,13 @@ class IssuesControllerTest < ActionController::TestCase
     assert_response 403
   end
   
+  def test_show_should_deny_non_member_access_to_private_issue
+    Issue.update_all(["is_private = ?", true], "id = 1")
+    @request.session[:user_id] = 9
+    get :show, :id => 1
+    assert_response 403
+  end
+  
   def test_show_should_deny_member_access_without_permission
     Role.find(1).remove_permission!(:view_issues)
     @request.session[:user_id] = 2
@@ -331,6 +351,35 @@ class IssuesControllerTest < ActionController::TestCase
     assert_response 403
   end
   
+  def test_show_should_deny_member_access_to_private_issue_without_permission
+    Issue.update_all(["is_private = ?", true], "id = 1")
+    @request.session[:user_id] = 3
+    get :show, :id => 1
+    assert_response 403
+  end
+  
+  def test_show_should_allow_author_access_to_private_issue
+    Issue.update_all(["is_private = ?, author_id = 3", true], "id = 1")
+    @request.session[:user_id] = 3
+    get :show, :id => 1
+    assert_response :success
+  end
+  
+  def test_show_should_allow_assignee_access_to_private_issue
+    Issue.update_all(["is_private = ?, assigned_to_id = 3", true], "id = 1")
+    @request.session[:user_id] = 3
+    get :show, :id => 1
+    assert_response :success
+  end
+  
+  def test_show_should_allow_member_access_to_private_issue_with_permission
+    Issue.update_all(["is_private = ?", true], "id = 1")
+    User.find(3).roles_for_project(Project.find(1)).first.update_attribute :issues_visibility, 'all'
+    @request.session[:user_id] = 3
+    get :show, :id => 1
+    assert_response :success
+  end
+  
   def test_show_should_not_disclose_relations_to_invisible_issues
     Setting.cross_project_issue_relations = '1'
     IssueRelation.create!(:issue_from => Issue.find(1), :issue_to => Issue.find(2), :relation_type => 'relates')
diff --git a/test/unit/issue_test.rb b/test/unit/issue_test.rb
index ff98711a3..25f664a3e 100644
--- a/test/unit/issue_test.rb
+++ b/test/unit/issue_test.rb
@@ -74,6 +74,7 @@ class IssueTest < ActiveSupport::TestCase
     issues = Issue.visible(User.anonymous).all
     assert issues.any?
     assert_nil issues.detect {|issue| !issue.project.is_public?}
+    assert_nil issues.detect {|issue| issue.is_private?}
     assert_visibility_match User.anonymous, issues
   end
   
@@ -102,6 +103,7 @@ class IssueTest < ActiveSupport::TestCase
     issues = Issue.visible(user).all
     assert issues.any?
     assert_nil issues.detect {|issue| !issue.project.is_public?}
+    assert_nil issues.detect {|issue| issue.is_private?}
     assert_visibility_match user, issues
   end
   
@@ -130,10 +132,11 @@ class IssueTest < ActiveSupport::TestCase
     user = User.find(9)
     # User should see issues of projects for which he has view_issues permissions only
     Role.non_member.remove_permission!(:view_issues)
-    Member.create!(:principal => user, :project_id => 2, :role_ids => [1])
+    Member.create!(:principal => user, :project_id => 3, :role_ids => [2])
     issues = Issue.visible(user).all
     assert issues.any?
-    assert_nil issues.detect {|issue| issue.project_id != 2}
+    assert_nil issues.detect {|issue| issue.project_id != 3}
+    assert_nil issues.detect {|issue| issue.is_private?}
     assert_visibility_match user, issues
   end
   
@@ -145,6 +148,8 @@ class IssueTest < ActiveSupport::TestCase
     assert issues.any?
     # Admin should see issues on private projects that he does not belong to
     assert issues.detect {|issue| !issue.project.is_public?}
+    # Admin should see private issues of other users
+    assert issues.detect {|issue| issue.is_private? && issue.author != user}
     assert_visibility_match user, issues
   end