3 files changed, 67 insertions, 1 deletions

diff --git a/test/fixtures/roles.yml b/test/fixtures/roles.yml
index 08699ff83..22f690328 100644
--- a/test/fixtures/roles.yml
+++ b/test/fixtures/roles.yml
@@ -10,6 +10,7 @@ roles_001:
     - :manage_members
     - :manage_versions
     - :manage_categories
+    - :view_issues
     - :add_issues
     - :edit_issues
     - :manage_issue_relations
@@ -60,6 +61,7 @@ roles_002:
     - :manage_members
     - :manage_versions
     - :manage_categories
+    - :view_issues
     - :add_issues
     - :edit_issues
     - :manage_issue_relations
@@ -102,6 +104,7 @@ roles_003:
     - :manage_members
     - :manage_versions
     - :manage_categories
+    - :view_issues
     - :add_issues
     - :edit_issues
     - :manage_issue_relations
@@ -135,6 +138,7 @@ roles_004:
   builtin: 1
   permissions: |
     --- 
+    - :view_issues
     - :add_issues
     - :edit_issues
     - :manage_issue_relations
@@ -164,6 +168,7 @@ roles_005:
   builtin: 2
   permissions: |
     --- 
+    - :view_issues
     - :add_issue_notes
     - :view_gantt
     - :view_calendar
diff --git a/test/functional/issues_controller_test.rb b/test/functional/issues_controller_test.rb
index 6786b02e7..1cff860b4 100644
--- a/test/functional/issues_controller_test.rb
+++ b/test/functional/issues_controller_test.rb
@@ -358,6 +358,26 @@ class IssuesControllerTest < ActionController::TestCase
                                             :content => /Notes/ } }
   end
   
+  def test_show_should_deny_anonymous_access_without_permission
+    Role.anonymous.remove_permission!(:view_issues)
+    get :show, :id => 1
+    assert_response :redirect
+  end
+  
+  def test_show_should_deny_non_member_access_without_permission
+    Role.non_member.remove_permission!(:view_issues)
+    @request.session[:user_id] = 9
+    get :show, :id => 1
+    assert_response 403
+  end
+  
+  def test_show_should_deny_member_access_without_permission
+    Role.find(1).remove_permission!(:view_issues)
+    @request.session[:user_id] = 2
+    get :show, :id => 1
+    assert_response 403
+  end
+  
   def test_show_should_not_disclose_relations_to_invisible_issues
     Setting.cross_project_issue_relations = '1'
     IssueRelation.create!(:issue_from => Issue.find(1), :issue_to => Issue.find(2), :relation_type => 'relates')
diff --git a/test/unit/issue_test.rb b/test/unit/issue_test.rb
index a8010cf48..84ccef601 100644
--- a/test/unit/issue_test.rb
+++ b/test/unit/issue_test.rb
@@ -18,7 +18,7 @@
 require File.dirname(__FILE__) + '/../test_helper'
 
 class IssueTest < ActiveSupport::TestCase
-  fixtures :projects, :users, :members, :member_roles,
+  fixtures :projects, :users, :members, :member_roles, :roles,
            :trackers, :projects_trackers,
            :versions,
            :issue_statuses, :issue_categories, :issue_relations, :workflows, 
@@ -64,6 +64,47 @@ class IssueTest < ActiveSupport::TestCase
     assert_equal 'PostgreSQL', issue.custom_value_for(field).value
   end
   
+  def test_visible_scope_for_anonymous
+    # Anonymous user should see issues of public projects only
+    issues = Issue.visible(User.anonymous).all
+    assert issues.any?
+    assert_nil issues.detect {|issue| !issue.project.is_public?}
+    # Anonymous user should not see issues without permission
+    Role.anonymous.remove_permission!(:view_issues)
+    issues = Issue.visible(User.anonymous).all
+    assert issues.empty?
+  end
+  
+  def test_visible_scope_for_user
+    user = User.find(9)
+    assert user.projects.empty?
+    # Non member user should see issues of public projects only
+    issues = Issue.visible(user).all
+    assert issues.any?
+    assert_nil issues.detect {|issue| !issue.project.is_public?}
+    # Non member user should not see issues without permission
+    Role.non_member.remove_permission!(:view_issues)
+    user.reload
+    issues = Issue.visible(user).all
+    assert issues.empty?
+    # User should see issues of projects for which he has view_issues permissions only
+    Member.create!(:principal => user, :project_id => 2, :role_ids => [1])
+    user.reload
+    issues = Issue.visible(user).all
+    assert issues.any?
+    assert_nil issues.detect {|issue| issue.project_id != 2}
+  end
+  
+  def test_visible_scope_for_admin
+    user = User.find(1)
+    user.members.each(&:destroy)
+    assert user.projects.empty?
+    issues = Issue.visible(user).all
+    assert issues.any?
+    # Admin should see issues on private projects that he does not belong to
+    assert issues.detect {|issue| !issue.project.is_public?}
+  end
+  
   def test_errors_full_messages_should_include_custom_fields_errors
     field = IssueCustomField.find_by_name('Database')