From 4ec21ecdf5feda099796235bdc45917871ddada7 Mon Sep 17 00:00:00 2001 From: Marius Balteanu Date: Sun, 12 May 2024 07:42:23 +0000 Subject: Merged r22819 and r22820 to 5.1-stable (#40412). git-svn-id: https://svn.redmine.org/redmine/branches/5.1-stable@22824 e93f8b46-1217-0410-a6f0-8f06a7374b81 --- app/models/issue_query.rb | 4 +++- test/unit/query_test.rb | 41 ++++++++++++++++++++++++++++++++++++++--- 2 files changed, 41 insertions(+), 4 deletions(-) diff --git a/app/models/issue_query.rb b/app/models/issue_query.rb index bede78575..d368dbe17 100644 --- a/app/models/issue_query.rb +++ b/app/models/issue_query.rb @@ -521,7 +521,9 @@ class IssueQuery < Query def sql_for_watcher_id_field(field, operator, value) db_table = Watcher.table_name - me, others = value.partition {|id| ['0', User.current.id.to_s].include?(id)} + me_ids = [0, User.current.id] + me_ids = me_ids.concat(User.current.groups.pluck(:id)) + me, others = value.partition {|id| me_ids.include?(id.to_i)} sql = if others.any? "SELECT #{Issue.table_name}.id FROM #{Issue.table_name} " + diff --git a/test/unit/query_test.rb b/test/unit/query_test.rb index 1b687ed2b..c8ba72cad 100644 --- a/test/unit/query_test.rb +++ b/test/unit/query_test.rb @@ -1376,7 +1376,7 @@ class QueryTest < ActiveSupport::TestCase assert_equal Project.where(parent_id: bookmarks).ids, result.map(&:id).sort end - def test_filter_watched_issues + def test_filter_watched_issues_by_user User.current = User.find(1) query = IssueQuery.new( @@ -1384,7 +1384,7 @@ class QueryTest < ActiveSupport::TestCase :filters => { 'watcher_id' => { :operator => '=', - :values => ['me'] + :values => [User.current.id] } } ) @@ -1394,13 +1394,17 @@ class QueryTest < ActiveSupport::TestCase assert_equal Issue.visible.watched_by(User.current).sort_by(&:id), result.sort_by(&:id) end - def test_filter_watched_issues_with_groups_also + def test_filter_watched_issues_by_me_should_include_user_groups user = User.find(2) group = Group.find(10) group.users << user Issue.find(3).add_watcher(user) Issue.find(7).add_watcher(group) + manager = Role.find(1) + # view_issue_watchers permission is not required to see watched issues by current user or user groups + manager.remove_permission! :view_issue_watchers User.current = user + query = IssueQuery.new( :name => '_', @@ -1412,11 +1416,42 @@ class QueryTest < ActiveSupport::TestCase } ) result = find_issues_with_query(query) + assert_not_nil result assert !result.empty? assert_equal [3, 7], result.sort_by(&:id).pluck(:id) end + def test_filter_watched_issues_by_group_should_include_only_projects_with_permission + user = User.find(2) + group = Group.find(10) + + Issue.find(4).add_watcher(group) + Issue.find(2).add_watcher(group) + + developer = Role.find(2) + developer.remove_permission! :view_issue_watchers + + User.current = user + + query = + IssueQuery.new( + :name => '_', + :filters => { + 'watcher_id' => { + :operator => '=', + :values => [group.id] + } + } + ) + result = find_issues_with_query(query) + + assert_not_nil result + + # "Developer" role doesn't have the view_issue_watchers permission of issue's #4 project (OnlineStore). + assert_equal [2], result.pluck(:id) + end + def test_filter_unwatched_issues User.current = User.find(1) query = -- cgit v1.2.3