diff options
| author | Go MAEDA <maeda@farend.jp> | 2018-07-08 07:23:23 +0000 |
|---|---|---|
| committer | Go MAEDA <maeda@farend.jp> | 2018-07-08 07:23:23 +0000 |
| commit | 5484198d98b91f287139a91cd2a858d5d75fc45a (patch) | |
| tree | fdcdb0449324cecd866b452a9a80a42aa93b3630 /test | |
| parent | cb5fce04426df4803726c874e0e9e9285cdd7837 (diff) | |
| download | redmine-5484198d98b91f287139a91cd2a858d5d75fc45a.tar.gz redmine-5484198d98b91f287139a91cd2a858d5d75fc45a.zip | |
Ensure that only visible watchers on issues can be queried (#29133).
Contributed by Holger Just and Mizuki ISHIKAWA.
git-svn-id: http://svn.redmine.org/redmine/trunk@17436 e93f8b46-1217-0410-a6f0-8f06a7374b81
Diffstat (limited to 'test')
| -rw-r--r-- | test/unit/query_test.rb | 32 |
1 files changed, 32 insertions, 0 deletions
diff --git a/test/unit/query_test.rb b/test/unit/query_test.rb index 5b9886dd9..aa29b2462 100644 --- a/test/unit/query_test.rb +++ b/test/unit/query_test.rb @@ -876,6 +876,38 @@ class QueryTest < ActiveSupport::TestCase User.current = nil end + def test_filter_on_watched_issues_with_view_issue_watchers_permission + User.current = User.find(1) + User.current.admin = true + assert User.current.allowed_to?(:view_issue_watchers, Project.find(1)) + + Issue.find(1).add_watcher User.current + Issue.find(3).add_watcher User.find(3) + query = IssueQuery.new(:name => '_', :filters => { 'watcher_id' => {:operator => '=', :values => ['me', '3']}}) + result = find_issues_with_query(query) + assert_includes result, Issue.find(1) + assert_includes result, Issue.find(3) + ensure + User.current.reload + User.current = nil + end + + def test_filter_on_watched_issues_without_view_issue_watchers_permission + User.current = User.find(1) + User.current.admin = false + assert !User.current.allowed_to?(:view_issue_watchers, Project.find(1)) + + Issue.find(1).add_watcher User.current + Issue.find(3).add_watcher User.find(3) + query = IssueQuery.new(:name => '_', :filters => { 'watcher_id' => {:operator => '=', :values => ['me', '3']}}) + result = find_issues_with_query(query) + assert_includes result, Issue.find(1) + assert_not_includes result, Issue.find(3) + ensure + User.current.reload + User.current = nil + end + def test_filter_on_custom_field_should_ignore_projects_with_field_disabled field = IssueCustomField.generate!(:trackers => Tracker.all, :project_ids => [1, 3, 4], :is_for_all => false, :is_filter => true) Issue.generate!(:project_id => 3, :tracker_id => 2, :custom_field_values => {field.id.to_s => 'Foo'}) |