Patch #33329 » 0002-Do-not-propose-watchers-that-are-not-allowed-to-see-.patch
app/controllers/watchers_controller.rb | ||
---|---|---|
133 | 133 |
users = scope.active.visible.sorted.like(params[:q]).to_a |
134 | 134 |
users += scope_groups.active.visible.sorted.like(params[:q]).to_a |
135 | 135 |
if @watchables && @watchables.size == 1 |
136 |
users -= @watchables.first.watcher_users |
|
136 |
watchable_object = @watchables.first |
|
137 |
users -= watchable_object.watcher_users |
|
138 | ||
139 |
if watchable_object.respond_to?(:visible?) |
|
140 |
users.reject! {|user| user.is_a?(User) && !watchable_object.visible?(user)} |
|
141 |
end |
|
137 | 142 |
end |
138 | 143 |
users |
139 | 144 |
end |
test/functional/watchers_controller_test.rb | ||
---|---|---|
335 | 335 |
assert_not_include hidden.name, response.body |
336 | 336 |
end |
337 | 337 | |
338 |
def test_autocomplete_for_user_should_not_return_users_without_object_visibility |
|
339 |
@request.session[:user_id] = 1 |
|
340 |
get :autocomplete_for_user, :params => { |
|
341 |
q: 'rober', |
|
342 |
project_id: 'onlinestore', |
|
343 |
object_id: '4', |
|
344 |
object_type: 'issue' |
|
345 |
}, :xhr => true |
|
346 | ||
347 |
assert_response :success |
|
348 | ||
349 |
assert response.body.blank? |
|
350 |
end |
|
351 | ||
338 | 352 |
def test_append |
339 | 353 |
@request.session[:user_id] = 2 |
340 | 354 |
assert_no_difference 'Watcher.count' do |