From f44e0ed97f2029d9f2b5e4327a03034ad7f64f1d Mon Sep 17 00:00:00 2001
From: Holger Just <holger@plan.io>
Date: Fri, 29 Jun 2018 17:20:57 +0200
Subject: [PATCH] Only allow the use of visible custom fields in time entry
 reports

---
 lib/redmine/helpers/time_report.rb     |  8 ++++----
 test/functional/timelog_report_test.rb | 12 ++++++++++++
 2 files changed, 16 insertions(+), 4 deletions(-)

diff --git a/lib/redmine/helpers/time_report.rb b/lib/redmine/helpers/time_report.rb
index fb6384cb69..5287ae95e4 100644
--- a/lib/redmine/helpers/time_report.rb
+++ b/lib/redmine/helpers/time_report.rb
@@ -129,13 +129,13 @@ module Redmine
                                }
 
         # Add time entry custom fields
-        custom_fields = TimeEntryCustomField.all
+        custom_fields = TimeEntryCustomField.visible
         # Add project custom fields
-        custom_fields += ProjectCustomField.all
+        custom_fields += ProjectCustomField.visible
         # Add issue custom fields
-        custom_fields += (@project.nil? ? IssueCustomField.for_all : @project.all_issue_custom_fields)
+        custom_fields += @project.nil? ? IssueCustomField.visible.for_all : @project.all_issue_custom_fields.visible
         # Add time entry activity custom fields
-        custom_fields += TimeEntryActivityCustomField.all
+        custom_fields += TimeEntryActivityCustomField.visible
 
         # Add list and boolean custom fields as available criteria
         custom_fields.select {|cf| %w(list bool).include?(cf.field_format) && !cf.multiple?}.each do |cf|
diff --git a/test/functional/timelog_report_test.rb b/test/functional/timelog_report_test.rb
index 35ec559fcd..252a5909c0 100644
--- a/test/functional/timelog_report_test.rb
+++ b/test/functional/timelog_report_test.rb
@@ -135,6 +135,18 @@ class TimelogReportTest < Redmine::ControllerTest
     end
   end
 
+  def test_hidden_custom_fields_should_not_be_proposed
+    TimeEntryCustomField.create!(name: 'shown', field_format: 'list', possible_values: ['value1', 'value2'], visible: true)
+    TimeEntryCustomField.create!(name: 'Hidden', field_format: 'list', possible_values: ['value1', 'value2'], visible: false)
+
+    get :report, :params => {:project_id => 1}
+    assert_response :success
+    assert_select 'select[name=?]', 'criteria[]' do
+      assert_select 'option', :text => 'Shown'
+      assert_select 'option', :text => 'Hidden', :count => 0
+    end
+  end
+
   def test_report_one_day
     get :report, :params => {:project_id => 1, :columns => 'day', :from => "2007-03-23", :to => "2007-03-23", :criteria => ["user", "activity"]}
     assert_response :success
-- 
2.17.1