Fixed: User with groups may not see issues assigned to him or to its groups (#9478).

git-svn-id: svn+ssh://rubyforge.org/var/svn/redmine/trunk@7771 e93f8b46-1217-0410-a6f0-8f06a7374b81
2011-11-11 12:22:47 +00:00 · 2011-11-11 12:22:47 +00:00 · 857cf5db38
parent a920184c83
commit 857cf5db38
2 changed files with 25 additions and 2 deletions
--- a/app/models/issue.rb
+++ b/app/models/issue.rb
@ -95,10 +95,10 @@ class Issue < ActiveRecord::Base
        nil
      when 'default'
        user_ids = [user.id] + user.groups.map(&:id)
-        "(#{table_name}.is_private = #{connection.quoted_false} OR #{table_name}.author_id = #{user.id} OR #{table_name}.assigned_to_id IN (#{user_ids}))"
+        "(#{table_name}.is_private = #{connection.quoted_false} OR #{table_name}.author_id = #{user.id} OR #{table_name}.assigned_to_id IN (#{user_ids.join(',')}))"
      when 'own'
        user_ids = [user.id] + user.groups.map(&:id)
-        "(#{table_name}.author_id = #{user.id} OR #{table_name}.assigned_to_id IN (#{user_ids}))"
+        "(#{table_name}.author_id = #{user.id} OR #{table_name}.assigned_to_id IN (#{user_ids.join(',')}))"
      else
        '1=0'
      end
--- a/test/unit/issue_test.rb
+++ b/test/unit/issue_test.rb
@ -160,6 +160,29 @@ class IssueTest < ActiveSupport::TestCase
    assert_visibility_match user, issues
  end

+  def test_visible_scope_for_member_with_groups_should_return_assigned_issues
+    user = User.find(8)
+    assert user.groups.any?
+    Member.create!(:principal => user.groups.first, :project_id => 1, :role_ids => [2])
+    Role.non_member.remove_permission!(:view_issues)
+    
+    issue = Issue.create(:project_id => 1, :tracker_id => 1, :author_id => 3,
+      :status_id => 1, :priority => IssuePriority.all.first,
+      :subject => 'Assignment test',
+      :assigned_to => user.groups.first,
+      :is_private => true)
+    
+    Role.find(2).update_attribute :issues_visibility, 'default'
+    issues = Issue.visible(User.find(8)).all
+    assert issues.any?
+    assert issues.include?(issue)
+    
+    Role.find(2).update_attribute :issues_visibility, 'own'
+    issues = Issue.visible(User.find(8)).all
+    assert issues.any?
+    assert issues.include?(issue)
+  end
+
  def test_visible_scope_for_admin
    user = User.find(1)
    user.members.each(&:destroy)