Fixed: Calendar and Gantt show private subprojects even if current user is not a member of them (#1217).

git-svn-id: http://redmine.rubyforge.org/svn/trunk@1431 e93f8b46-1217-0410-a6f0-8f06a7374b81

app/models/project.rb

@@ -73,9 +73,9 @@ class Project < ActiveRecord::Base
   
   def issues_with_subprojects(include_subprojects=false)
     conditions = nil
-    if include_subprojects && !active_children.empty?
-      ids = [id] + active_children.collect {|c| c.id}
-      conditions = ["#{Project.table_name}.id IN (#{ids.join(',')})"]
+    if include_subprojects
+      ids = [id] + child_ids
+      conditions = ["#{Project.table_name}.id IN (#{ids.join(',')}) AND #{Project.visible_by}"]
     end
     conditions ||= ["#{Project.table_name}.id = ?", id]
     # Quick and dirty fix for Rails 2 compatibility
@@ -93,6 +93,7 @@ class Project < ActiveRecord::Base
   end	
 
   def self.visible_by(user=nil)
+    user ||= User.current
     if user && user.admin?
       return "#{Project.table_name}.status=#{Project::STATUS_ACTIVE}"
     elsif user && user.memberships.any?

test/fixtures/issues.yml

@@ -71,4 +71,20 @@ issues_005:
   assigned_to_id: 
   author_id: 2
   status_id: 1
-  
+issues_006: 
+  created_on: <%= 1.minute.ago.to_date.to_s(:db) %>
+  project_id: 5
+  updated_on: <%= 1.minute.ago.to_date.to_s(:db) %>
+  priority_id: 4
+  subject: Issue of a private subproject
+  id: 6
+  fixed_version_id: 
+  category_id: 
+  description: This is an issue of a private subproject of cookbook
+  tracker_id: 1
+  assigned_to_id: 
+  author_id: 2
+  status_id: 1
+  start_date: <%= Date.today.to_s(:db) %>
+  due_date: <%= 1.days.from_now.to_date.to_s(:db) %>
+  

test/functional/projects_controller_test.rb

@@ -29,6 +29,7 @@ class ProjectsControllerTest < Test::Unit::TestCase
     @controller = ProjectsController.new
     @request    = ActionController::TestRequest.new
     @response   = ActionController::TestResponse.new
+    @request.session[:user_id] = nil
   end
 
   def test_index
@@ -237,11 +238,21 @@ class ProjectsControllerTest < Test::Unit::TestCase
     assert_not_nil assigns(:calendar)
   end
 
-  def test_calendar_with_subprojects
+  def test_calendar_with_subprojects_should_not_show_private_subprojects
     get :calendar, :id => 1, :with_subprojects => 1, :tracker_ids => [1, 2]
     assert_response :success
     assert_template 'calendar'
     assert_not_nil assigns(:calendar)
+    assert_no_tag :tag => 'a', :content => /#6/
+  end
+  
+  def test_calendar_with_subprojects_should_show_private_subprojects
+    @request.session[:user_id] = 2
+    get :calendar, :id => 1, :with_subprojects => 1, :tracker_ids => [1, 2]
+    assert_response :success
+    assert_template 'calendar'
+    assert_not_nil assigns(:calendar)
+    assert_tag :tag => 'a', :content => /#6/
   end
 
   def test_gantt
@@ -251,13 +262,23 @@ class ProjectsControllerTest < Test::Unit::TestCase
     assert_not_nil assigns(:events)
   end
 
-  def test_gantt_with_subprojects
+  def test_gantt_with_subprojects_should_not_show_private_subprojects
     get :gantt, :id => 1, :with_subprojects => 1, :tracker_ids => [1, 2]
     assert_response :success
     assert_template 'gantt.rhtml'
     assert_not_nil assigns(:events)
+    assert_no_tag :tag => 'a', :content => /#6/
   end
   
+  def test_gantt_with_subprojects_should_show_private_subprojects
+    @request.session[:user_id] = 2
+    get :gantt, :id => 1, :with_subprojects => 1, :tracker_ids => [1, 2]
+    assert_response :success
+    assert_template 'gantt.rhtml'
+    assert_not_nil assigns(:events)
+    assert_tag :tag => 'a', :content => /#6/
+  end
+
   def test_gantt_export_to_pdf
     get :gantt, :id => 1, :format => 'pdf'
     assert_response :success