From d26ce4116f8a71d7fe74acf233d00e00ceebe5de Mon Sep 17 00:00:00 2001
From: Gregor Schmidt <schmidt@nach-vorne.eu>
Date: Mon, 20 Nov 2017 13:59:53 +0100
Subject: [PATCH 2/4] Adds visibility checks on version views

Previously not all data on the roadmap and version view where properly checked against the issue visibility setting. Unprivileged users were able to see the total number of issues, their estimations and the open/close status - even if the user was only allowed to see their own issues.
---
 app/helpers/versions_helper.rb        |  4 ++--
 app/views/versions/_overview.html.erb | 20 ++++++++++----------
 app/views/versions/show.html.erb      |  4 ++--
 3 files changed, 14 insertions(+), 14 deletions(-)

diff --git a/app/helpers/versions_helper.rb b/app/helpers/versions_helper.rb
index fe1fb8815..9d088a9d9 100644
--- a/app/helpers/versions_helper.rb
+++ b/app/helpers/versions_helper.rb
@@ -57,9 +57,9 @@ module VersionsHelper
     h = Hash.new {|k,v| k[v] = [0, 0]}
     begin
       # Total issue count
-      version.fixed_issues.group(criteria).count.each {|c,s| h[c][0] = s}
+      version.fixed_issues.visible.group(criteria).count.each {|c,s| h[c][0] = s}
       # Open issues count
-      version.fixed_issues.open.group(criteria).count.each {|c,s| h[c][1] = s}
+      version.fixed_issues.visible.open.group(criteria).count.each {|c,s| h[c][1] = s}
     rescue ActiveRecord::RecordNotFound
     # When grouping by an association, Rails throws this exception if there's no result (bug)
     end
diff --git a/app/views/versions/_overview.html.erb b/app/views/versions/_overview.html.erb
index 2effb3180..ec7a18a6f 100644
--- a/app/views/versions/_overview.html.erb
+++ b/app/views/versions/_overview.html.erb
@@ -14,22 +14,22 @@
 </ul>
 <% end %>
 
-<% if version.issues_count > 0 %>
-    <%= progress_bar([version.closed_percent, version.completed_percent],
+<% if version.fixed_issues.visible.count > 0 %>
+    <%= progress_bar([version.fixed_issues.visible.closed_percent, version.fixed_issues.visible.completed_percent],
                      :titles =>
-                       ["%s: %0.0f%%" % [l(:label_closed_issues_plural), version.closed_percent],
-                        "%s: %0.0f%%" % [l(:field_done_ratio), version.completed_percent]],
-                     :legend => ('%0.0f%%' % version.completed_percent)) %>
+                       ["%s: %0.0f%%" % [l(:label_closed_issues_plural), version.fixed_issues.visible.closed_percent],
+                        "%s: %0.0f%%" % [l(:field_done_ratio), version.fixed_issues.visible.completed_percent]],
+                     :legend => ('%0.0f%%' % version.fixed_issues.visible.completed_percent)) %>
     <p class="progress-info">
-      <%= link_to(l(:label_x_issues, :count => version.issues_count),
+      <%= link_to(l(:label_x_issues, :count => version.fixed_issues.visible.count),
                   version_filtered_issues_path(version, :status_id => '*')) %>
       &nbsp;
-      (<%= link_to_if(version.closed_issues_count > 0,
-                      l(:label_x_closed_issues_abbr, :count => version.closed_issues_count),
+      (<%= link_to_if(version.fixed_issues.visible.closed_count > 0,
+                      l(:label_x_closed_issues_abbr, :count => version.fixed_issues.visible.closed_count),
                       version_filtered_issues_path(version, :status_id => 'c')) %>
       &#8212;
-      <%= link_to_if(version.open_issues_count > 0,
-                     l(:label_x_open_issues_abbr, :count => version.open_issues_count),
+      <%= link_to_if(version.fixed_issues.visible.open_count > 0,
+                     l(:label_x_open_issues_abbr, :count => version.fixed_issues.visible.open_count),
                      version_filtered_issues_path(version, :status_id => 'o')) %>)
     </p>
 <% else %>
diff --git a/app/views/versions/show.html.erb b/app/views/versions/show.html.erb
index fc22a9ffb..83953cce0 100644
--- a/app/views/versions/show.html.erb
+++ b/app/views/versions/show.html.erb
@@ -12,12 +12,12 @@
 <%= render(:partial => "wiki/content", :locals => {:content => @version.wiki_page.content}) if @version.wiki_page %>
 
 <div id="version-summary">
-<% if @version.estimated_hours > 0 || User.current.allowed_to?(:view_time_entries, @project) %>
+<% if @version.fixed_issues.visible.estimated_hours > 0 || User.current.allowed_to?(:view_time_entries, @project) %>
 <fieldset class="time-tracking"><legend><%= l(:label_time_tracking) %></legend>
 <table>
 <tr>
     <th><%= l(:field_estimated_hours) %></th>
-    <td class="total-hours"><%= link_to html_hours(l_hours(@version.estimated_hours)),
+    <td class="total-hours"><%= link_to html_hours(l_hours(@version.fixed_issues.visible.estimated_hours)),
                                         project_issues_path(@version.project, :set_filter => 1, :status_id => '*', :fixed_version_id => @version.id, :c => [:tracker, :status, :subject, :estimated_hours], :t => [:estimated_hours]) %></td>
 </tr>
 <% if User.current.allowed_to_view_all_time_entries?(@project) %>
-- 
2.14.1