Project

General

Profile

Patch #33329 » 0002-Do-not-propose-watchers-that-are-not-allowed-to-see-.patch

Marius BĂLTEANU, 2020-04-20 14:48

View differences:

app/controllers/watchers_controller.rb
133 133
    users = scope.active.visible.sorted.like(params[:q]).to_a
134 134
    users += scope_groups.active.visible.sorted.like(params[:q]).to_a
135 135
    if @watchables && @watchables.size == 1
136
      users -= @watchables.first.watcher_users
136
      watchable_object = @watchables.first
137
      users -= watchable_object.watcher_users
138

  
139
      if watchable_object.respond_to?(:visible?)
140
        users.reject! {|user| user.is_a?(User) && !watchable_object.visible?(user)}
141
      end
137 142
    end
138 143
    users
139 144
  end
test/functional/watchers_controller_test.rb
335 335
    assert_not_include hidden.name, response.body
336 336
  end
337 337

  
338
  def test_autocomplete_for_user_should_not_return_users_without_object_visibility
339
    @request.session[:user_id] = 1
340
    get :autocomplete_for_user, :params => {
341
      q: 'rober',
342
      project_id: 'onlinestore',
343
      object_id: '4',
344
      object_type: 'issue'
345
    }, :xhr => true
346

  
347
    assert_response :success
348

  
349
    assert response.body.blank?
350
  end
351

  
338 352
  def test_append
339 353
    @request.session[:user_id] = 2
340 354
    assert_no_difference 'Watcher.count' do
(1-1/4)