From 59d8ae61ef731351ca54a19bd9868b0b1e862c66 Mon Sep 17 00:00:00 2001 From: Jean-Philippe Lang Date: Wed, 19 Sep 2012 21:48:33 +0000 Subject: Anonymous users should not see private issues with anonymous author (#11872). git-svn-id: svn+ssh://rubyforge.org/var/svn/redmine/trunk@10433 e93f8b46-1217-0410-a6f0-8f06a7374b81 --- app/models/issue.rb | 20 ++++++++++++++------ 1 file changed, 14 insertions(+), 6 deletions(-) (limited to 'app/models/issue.rb') diff --git a/app/models/issue.rb b/app/models/issue.rb index 6e7f9a52c..5b1cfadb8 100644 --- a/app/models/issue.rb +++ b/app/models/issue.rb @@ -88,11 +88,19 @@ class Issue < ActiveRecord::Base when 'all' nil when 'default' - user_ids = [user.id] + user.groups.map(&:id) - "(#{table_name}.is_private = #{connection.quoted_false} OR #{table_name}.author_id = #{user.id} OR #{table_name}.assigned_to_id IN (#{user_ids.join(',')}))" + if user.logged? + user_ids = [user.id] + user.groups.map(&:id) + "(#{table_name}.is_private = #{connection.quoted_false} OR #{table_name}.author_id = #{user.id} OR #{table_name}.assigned_to_id IN (#{user_ids.join(',')}))" + else + "(#{table_name}.is_private = #{connection.quoted_false})" + end when 'own' - user_ids = [user.id] + user.groups.map(&:id) - "(#{table_name}.author_id = #{user.id} OR #{table_name}.assigned_to_id IN (#{user_ids.join(',')}))" + if user.logged? + user_ids = [user.id] + user.groups.map(&:id) + "(#{table_name}.author_id = #{user.id} OR #{table_name}.assigned_to_id IN (#{user_ids.join(',')}))" + else + '1=0' + end else '1=0' end @@ -106,9 +114,9 @@ class Issue < ActiveRecord::Base when 'all' true when 'default' - !self.is_private? || self.author == user || user.is_or_belongs_to?(assigned_to) + !self.is_private? || (user.logged? && (self.author == user || user.is_or_belongs_to?(assigned_to))) when 'own' - self.author == user || user.is_or_belongs_to?(assigned_to) + user.logged? && (self.author == user || user.is_or_belongs_to?(assigned_to)) else false end -- cgit v1.2.3