From 8a804e7f1bd7ae67068341742ee89140ea58c9a0 Mon Sep 17 00:00:00 2001
From: Holger Just <holger@plan.io>
Date: Mon, 30 May 2022 12:57:10 +0200
Subject: [PATCH 1/2] Validate category_id against available categories in
 project #37171

---
 app/models/issue.rb     | 6 ++++++
 test/unit/issue_test.rb | 8 ++++++++
 2 files changed, 14 insertions(+)

diff --git a/app/models/issue.rb b/app/models/issue.rb
index 73fd3f8cd5..4d3da2ce01 100644
--- a/app/models/issue.rb
+++ b/app/models/issue.rb
@@ -759,6 +759,12 @@ def validate_issue
       end
     end
 
+    if project && category_id
+      unless project.issue_category_ids.include?(category_id)
+        errors.add :category_id, :inclusion
+      end
+    end
+
     # Checks that the issue can not be added/moved to a disabled tracker
     if project && (tracker_id_changed? || project_id_changed?)
       if tracker && !project.trackers.include?(tracker)
diff --git a/test/unit/issue_test.rb b/test/unit/issue_test.rb
index a0d9485c22..0c09ef5e10 100644
--- a/test/unit/issue_test.rb
+++ b/test/unit/issue_test.rb
@@ -1721,6 +1721,14 @@ def test_should_keep_shared_version_when_changing_project
     assert issue.save
   end
 
+  def test_should_not_be_able_to_set_an_invalid_category_id
+    issue = Issue.new(:project_id => 1, :tracker_id => 1, :author_id => 1,
+                      :status_id => 1, :category_id => 3,
+                      :subject => 'New issue')
+    assert !issue.save
+    assert_not_equal [], issue.errors[:category_id]
+  end
+
   def test_allowed_target_projects_should_include_projects_with_issue_tracking_enabled
     assert_include Project.find(2), Issue.allowed_target_projects(User.find(2))
   end
-- 
2.34.0