From 857cf5db38c23fd13f3834f773cc18c950c46d63 Mon Sep 17 00:00:00 2001 From: Jean-Philippe Lang Date: Fri, 11 Nov 2011 12:22:47 +0000 Subject: Fixed: User with groups may not see issues assigned to him or to its groups (#9478). git-svn-id: svn+ssh://rubyforge.org/var/svn/redmine/trunk@7771 e93f8b46-1217-0410-a6f0-8f06a7374b81 --- app/models/issue.rb | 4 ++-- test/unit/issue_test.rb | 23 +++++++++++++++++++++++ 2 files changed, 25 insertions(+), 2 deletions(-) diff --git a/app/models/issue.rb b/app/models/issue.rb index 50b0dcecd..735a50ee9 100644 --- a/app/models/issue.rb +++ b/app/models/issue.rb @@ -95,10 +95,10 @@ class Issue < ActiveRecord::Base nil when 'default' user_ids = [user.id] + user.groups.map(&:id) - "(#{table_name}.is_private = #{connection.quoted_false} OR #{table_name}.author_id = #{user.id} OR #{table_name}.assigned_to_id IN (#{user_ids}))" + "(#{table_name}.is_private = #{connection.quoted_false} OR #{table_name}.author_id = #{user.id} OR #{table_name}.assigned_to_id IN (#{user_ids.join(',')}))" when 'own' user_ids = [user.id] + user.groups.map(&:id) - "(#{table_name}.author_id = #{user.id} OR #{table_name}.assigned_to_id IN (#{user_ids}))" + "(#{table_name}.author_id = #{user.id} OR #{table_name}.assigned_to_id IN (#{user_ids.join(',')}))" else '1=0' end diff --git a/test/unit/issue_test.rb b/test/unit/issue_test.rb index 6b7702d93..c769c0c31 100644 --- a/test/unit/issue_test.rb +++ b/test/unit/issue_test.rb @@ -160,6 +160,29 @@ class IssueTest < ActiveSupport::TestCase assert_visibility_match user, issues end + def test_visible_scope_for_member_with_groups_should_return_assigned_issues + user = User.find(8) + assert user.groups.any? + Member.create!(:principal => user.groups.first, :project_id => 1, :role_ids => [2]) + Role.non_member.remove_permission!(:view_issues) + + issue = Issue.create(:project_id => 1, :tracker_id => 1, :author_id => 3, + :status_id => 1, :priority => IssuePriority.all.first, + :subject => 'Assignment test', + :assigned_to => user.groups.first, + :is_private => true) + + Role.find(2).update_attribute :issues_visibility, 'default' + issues = Issue.visible(User.find(8)).all + assert issues.any? + assert issues.include?(issue) + + Role.find(2).update_attribute :issues_visibility, 'own' + issues = Issue.visible(User.find(8)).all + assert issues.any? + assert issues.include?(issue) + end + def test_visible_scope_for_admin user = User.find(1) user.members.each(&:destroy) -- cgit v1.2.3