From 28e2205720f31cc28afaf9fa5fa4801fa9980953 Mon Sep 17 00:00:00 2001
From: Holger Just <holger@plan.io>
Date: Mon, 29 Aug 2022 20:29:48 +0200
Subject: [PATCH] Consider only roles with either add_issues or edit_issues
 permissions for any status transitions

Workflows for roles without one of those permissions can not be edited.
It is still possible that there are existing workflows for roles which
previously had those permissions. Before this commit, these workflows
were still considered.

After this commit, they are ignored and only workflows for roles
granting either add issues or edit issues permissions now considered.
---
 app/models/issue.rb     |  5 ++++-
 test/unit/issue_test.rb | 22 ++++++++++++++++++++++
 2 files changed, 26 insertions(+), 1 deletion(-)

diff --git a/app/models/issue.rb b/app/models/issue.rb
index 84907a475f..0516a61869 100644
--- a/app/models/issue.rb
+++ b/app/models/issue.rb
@@ -1064,9 +1064,12 @@ def new_statuses_allowed_to(user=User.current, include_default=false)
       (user.id == initial_assigned_to_id || user.group_ids.include?(initial_assigned_to_id))
 
     statuses = []
+
+    roles = user.admin ? Role.all.to_a : user.roles_for_project(project)
+    roles = roles.select(&:consider_workflow?)
     statuses += IssueStatus.new_statuses_allowed(
       initial_status,
-      user.admin ? Role.all.to_a : user.roles_for_project(project),
+      roles,
       tracker,
       author == user,
       assignee_transitions_allowed
diff --git a/test/unit/issue_test.rb b/test/unit/issue_test.rb
index f054cee965..b056ffb18c 100644
--- a/test/unit/issue_test.rb
+++ b/test/unit/issue_test.rb
@@ -859,6 +859,28 @@ def test_new_statuses_allowed_to_should_return_all_transitions_for_admin
     assert_equal expected_statuses, issue.new_statuses_allowed_to(admin)
   end
 
+  def test_new_statuses_allowed_to_should_only_return_transitions_of_considered_workflows
+    issue = Issue.find(9)
+
+    WorkflowTransition.delete_all
+    WorkflowTransition.create!(:role_id => 1, :tracker_id => 1, :old_status_id => 1, :new_status_id => 2)
+
+    developer = Role.find(2)
+    developer.remove_permission! :edit_issues
+    developer.remove_permission! :add_issues
+    assert !developer.consider_workflow?
+    WorkflowTransition.create!(:role_id => 2, :tracker_id => 1, :old_status_id => 1, :new_status_id => 3)
+
+    # status 3 is not displayed
+    expected_statuses = IssueStatus.where(:id => [1, 2])
+
+    admin = User.find(1)
+    assert_equal expected_statuses, issue.new_statuses_allowed_to(admin)
+
+    author = User.find(8)
+    assert_equal expected_statuses, issue.new_statuses_allowed_to(author)
+  end
+
   def test_new_statuses_allowed_to_should_return_allowed_statuses_when_copying
     Tracker.find(1).generate_transitions! :role_id => 1, :clear => true, 0 => [1, 3]
 
-- 
2.34.0