From 58f0976d818f69533eea95e620bdce7064004856 Mon Sep 17 00:00:00 2001 From: Marius BALTEANU Date: Sun, 19 Apr 2020 00:43:47 +0300 Subject: [PATCH 2/3] Do not propose watchers that are not allowed to see the object --- app/controllers/watchers_controller.rb | 7 ++++++- test/functional/watchers_controller_test.rb | 14 ++++++++++++++ 2 files changed, 20 insertions(+), 1 deletion(-) diff --git a/app/controllers/watchers_controller.rb b/app/controllers/watchers_controller.rb index f6bb83ded..6c0db0f67 100644 --- a/app/controllers/watchers_controller.rb +++ b/app/controllers/watchers_controller.rb @@ -133,7 +133,12 @@ class WatchersController < ApplicationController users = scope.active.visible.sorted.like(params[:q]).to_a users += scope_groups.active.visible.sorted.like(params[:q]).to_a if @watchables && @watchables.size == 1 - users -= @watchables.first.watcher_users + watchable_object = @watchables.first + users -= watchable_object.watcher_users + + if watchable_object.respond_to?(:visible?) + users.reject! {|user| user.is_a?(User) && !watchable_object.visible?(user)} + end end users end diff --git a/test/functional/watchers_controller_test.rb b/test/functional/watchers_controller_test.rb index 4ab9c8243..4e93ce606 100644 --- a/test/functional/watchers_controller_test.rb +++ b/test/functional/watchers_controller_test.rb @@ -335,6 +335,20 @@ class WatchersControllerTest < Redmine::ControllerTest assert_not_include hidden.name, response.body end + def test_autocomplete_for_user_should_not_return_users_without_object_visibility + @request.session[:user_id] = 1 + get :autocomplete_for_user, :params => { + q: 'rober', + project_id: 'onlinestore', + object_id: '4', + object_type: 'issue' + }, :xhr => true + + assert_response :success + + assert response.body.blank? + end + def test_append @request.session[:user_id] = 2 assert_no_difference 'Watcher.count' do -- 2.22.0