From 59f41591cb549ba81fc84000765a80b993fd29cc Mon Sep 17 00:00:00 2001
From: Holger Just <holger@plan.io>
Date: Mon, 29 Aug 2022 20:29:48 +0200
Subject: [PATCH] Consider only roles with either add_issues or edit_issues
 permissions for any status transitions

Workflows for roles without one of those permissions can not be edited.
It is still possible that there are existing workflows for roles which
previously had those permissions. Before this commit, these workflows
were still considered.

After this commit, they are ignored and only workflows for roles
granting either add issues or edit issues permissions now considered.
---
 app/models/issue.rb     | 11 +++++++----
 test/unit/issue_test.rb | 22 ++++++++++++++++++++++
 2 files changed, 29 insertions(+), 4 deletions(-)

diff --git a/app/models/issue.rb b/app/models/issue.rb
index 84907a475f..0e634bf8bc 100644
--- a/app/models/issue.rb
+++ b/app/models/issue.rb
@@ -677,9 +677,7 @@ def required_attribute?(name, user=nil)
   def workflow_rule_by_attribute(user=nil)
     return @workflow_rule_by_attribute if @workflow_rule_by_attribute && user.nil?
 
-    user_real = user || User.current
-    roles = user_real.admin ? Role.all.to_a : user_real.roles_for_project(project)
-    roles = roles.select(&:consider_workflow?)
+    roles = roles_for_workflow(user || User.current)
     return {} if roles.empty?
 
     result = {}
@@ -1066,7 +1064,7 @@ def new_statuses_allowed_to(user=User.current, include_default=false)
     statuses = []
     statuses += IssueStatus.new_statuses_allowed(
       initial_status,
-      user.admin ? Role.all.to_a : user.roles_for_project(project),
+      roles_for_workflow(user),
       tracker,
       author == user,
       assignee_transitions_allowed
@@ -2053,4 +2051,9 @@ def filter_projects_scope(scope=nil)
       Project
     end
   end
+
+  def roles_for_workflow(user)
+    roles = user.admin ? Role.all.to_a : user.roles_for_project(project)
+    roles.select(&:consider_workflow?)
+  end
 end
diff --git a/test/unit/issue_test.rb b/test/unit/issue_test.rb
index f054cee965..b056ffb18c 100644
--- a/test/unit/issue_test.rb
+++ b/test/unit/issue_test.rb
@@ -859,6 +859,28 @@ def test_new_statuses_allowed_to_should_return_all_transitions_for_admin
     assert_equal expected_statuses, issue.new_statuses_allowed_to(admin)
   end
 
+  def test_new_statuses_allowed_to_should_only_return_transitions_of_considered_workflows
+    issue = Issue.find(9)
+
+    WorkflowTransition.delete_all
+    WorkflowTransition.create!(:role_id => 1, :tracker_id => 1, :old_status_id => 1, :new_status_id => 2)
+
+    developer = Role.find(2)
+    developer.remove_permission! :edit_issues
+    developer.remove_permission! :add_issues
+    assert !developer.consider_workflow?
+    WorkflowTransition.create!(:role_id => 2, :tracker_id => 1, :old_status_id => 1, :new_status_id => 3)
+
+    # status 3 is not displayed
+    expected_statuses = IssueStatus.where(:id => [1, 2])
+
+    admin = User.find(1)
+    assert_equal expected_statuses, issue.new_statuses_allowed_to(admin)
+
+    author = User.find(8)
+    assert_equal expected_statuses, issue.new_statuses_allowed_to(author)
+  end
+
   def test_new_statuses_allowed_to_should_return_allowed_statuses_when_copying
     Tracker.find(1).generate_transitions! :role_id => 1, :clear => true, 0 => [1, 3]
 
-- 
2.34.0