Do not propose watchers that are not allowed to see the object (#33329).

Patch by Marius BALTEANU. git-svn-id: http://svn.redmine.org/redmine/trunk@20724 e93f8b46-1217-0410-a6f0-8f06a7374b81
2026-02-01 03:57:15 +00:00 · 2021-01-24 05:31:18 +00:00 · 2021-01-24 05:31:18 +00:00 · 0f4228d4e6
commit 0f4228d4e6
parent 020f56d933
2 changed files with 20 additions and 1 deletions
--- a/app/controllers/watchers_controller.rb
+++ b/app/controllers/watchers_controller.rb
@ -141,7 +141,12 @@ class WatchersController < ApplicationController
    end
    users = scope.sorted.like(params[:q]).to_a
    if @watchables && @watchables.size == 1
-      users -= @watchables.first.watcher_users
+      watchable_object = @watchables.first
+      users -= watchable_object.watcher_users
+
+      if watchable_object.respond_to?(:visible?)
+        users.reject! {|user| user.is_a?(User) && !watchable_object.visible?(user)}
+      end
    end
    users
  end
--- a/test/functional/watchers_controller_test.rb
+++ b/test/functional/watchers_controller_test.rb
@ -335,6 +335,20 @@ class WatchersControllerTest < Redmine::ControllerTest
    assert_not_include hidden.name, response.body
  end

+  def test_autocomplete_for_user_should_not_return_users_without_object_visibility
+    @request.session[:user_id] = 1
+    get :autocomplete_for_user, :params => {
+      q: 'rober',
+      project_id: 'onlinestore',
+      object_id: '4',
+      object_type: 'issue'
+    }, :xhr => true
+
+    assert_response :success
+
+    assert response.body.blank?
+  end
+
  def test_append
    @request.session[:user_id] = 2
    assert_no_difference 'Watcher.count' do