From 83777f727a4291e63962470070b9a1bba9e42f27 Mon Sep 17 00:00:00 2001
From: Jean-Philippe Lang <jp_lang@yahoo.fr>
Date: Tue, 28 Jun 2016 20:31:08 +0000
Subject: Assignable users should not include users that cannot view the
 tracker (#23172).

git-svn-id: http://svn.redmine.org/redmine/trunk@15586 e93f8b46-1217-0410-a6f0-8f06a7374b81
---
 app/controllers/context_menus_controller.rb | 12 ++----------
 app/models/issue.rb                         |  2 +-
 app/models/project.rb                       | 15 +++++++++++++--
 app/models/role.rb                          |  7 +++++++
 4 files changed, 23 insertions(+), 13 deletions(-)

(limited to 'app')

diff --git a/app/controllers/context_menus_controller.rb b/app/controllers/context_menus_controller.rb
index 66ec35085..dc8e72609 100644
--- a/app/controllers/context_menus_controller.rb
+++ b/app/controllers/context_menus_controller.rb
@@ -35,16 +35,8 @@ class ContextMenusController < ApplicationController
             :add_watchers => User.current.allowed_to?(:add_issue_watchers, @projects),
             :delete => @issues.all?(&:deletable?)
             }
-    if @project
-      if @issue
-        @assignables = @issue.assignable_users
-      else
-        @assignables = @project.assignable_users
-      end
-    else
-      #when multiple projects, we only keep the intersection of each set
-      @assignables = @projects.map(&:assignable_users).reduce(:&)
-    end
+
+    @assignables = @issues.map(&:assignable_users).reduce(:&)
     @trackers = @projects.map {|p| Issue.allowed_target_trackers(p) }.reduce(:&)
     @versions = @projects.map {|p| p.shared_versions.open}.reduce(:&)
 
diff --git a/app/models/issue.rb b/app/models/issue.rb
index 9cf29532a..5b6ae3041 100644
--- a/app/models/issue.rb
+++ b/app/models/issue.rb
@@ -854,7 +854,7 @@ class Issue < ActiveRecord::Base
 
   # Users the issue can be assigned to
   def assignable_users
-    users = project.assignable_users.to_a
+    users = project.assignable_users(tracker).to_a
     users << author if author && author.active?
     users << assigned_to if assigned_to
     users.uniq.sort
diff --git a/app/models/project.rb b/app/models/project.rb
index b6bc13dde..c48c54855 100644
--- a/app/models/project.rb
+++ b/app/models/project.rb
@@ -512,16 +512,27 @@ class Project < ActiveRecord::Base
   end
 
   # Return a Principal scope of users/groups issues can be assigned to
-  def assignable_users
+  def assignable_users(tracker=nil)
+    return @assignable_users[tracker] if @assignable_users && @assignable_users[tracker]
+
     types = ['User']
     types << 'Group' if Setting.issue_group_assignment?
 
-    @assignable_users ||= Principal.
+    scope = Principal.
       active.
       joins(:members => :roles).
       where(:type => types, :members => {:project_id => id}, :roles => {:assignable => true}).
       uniq.
       sorted
+
+    if tracker
+      # Rejects users that cannot the view the tracker
+      roles = Role.where(:assignable => true).select {|role| role.permissions_tracker?(:view_issues, tracker)}
+      scope = scope.where(:roles => {:id => roles.map(&:id)})
+    end
+
+    @assignable_users ||= {}
+    @assignable_users[tracker] = scope
   end
 
   # Returns the mail addresses of users that should be always notified on project events
diff --git a/app/models/role.rb b/app/models/role.rb
index 89538aa4d..86fe73070 100644
--- a/app/models/role.rb
+++ b/app/models/role.rb
@@ -222,6 +222,13 @@ class Role < ActiveRecord::Base
     permissions_all_trackers[permission.to_s].to_s != '0'
   end
 
+  # Returns true if permission is given for the tracker
+  # (explicitly or for all trackers)
+  def permissions_tracker?(permission, tracker)
+    permissions_all_trackers?(permission) ||
+      permissions_tracker_ids?(permission, tracker.try(:id))
+  end
+
   # Sets the trackers that are allowed for a permission.
   # tracker_ids can be an array of tracker ids or :all for
   # no restrictions.
-- 
cgit v1.2.3