Ensure that a UserQuery can only be viewed or edited by admins (#42352).

Patch by Holger Just (user:hjust).

git-svn-id: https://svn.redmine.org/redmine/trunk@23530 e93f8b46-1217-0410-a6f0-8f06a7374b81

app/models/user_query.rb

@@ -34,6 +34,15 @@ class UserQuery < Query
     QueryAssociationColumn.new(:auth_source, :name, caption: :field_auth_source, sortable: "#{AuthSource.table_name}.name")
   ]
 
+  def self.visible(*args)
+    user = args.shift || User.current
+    if user.admin?
+      where('1=1')
+    else
+      where('1=0')
+    end
+  end
+
   def initialize(attributes=nil, *args)
     super(attributes)
     self.filters ||= { 'status' => {operator: "=", values: [User::STATUS_ACTIVE]} }
@@ -65,6 +74,14 @@ class UserQuery < Query
     add_custom_fields_filters(user_custom_fields)
   end
 
+  def visible?(user=User.current)
+    user&.admin?
+  end
+
+  def editable_by?(user)
+    user&.admin?
+  end
+
   def auth_sources_values
     AuthSource.order(name: :asc).pluck(:name, :id)
   end

test/unit/user_query_test.rb

@@ -209,6 +209,30 @@ class UserQueryTest < ActiveSupport::TestCase
     assert_equal [2, 1], users.pluck(:id)
   end
 
+  def test_user_query_is_only_visible_to_admins
+    q = UserQuery.new(name: '_')
+    assert q.save
+
+    admin = User.admin(true).first
+    user = User.admin(false).first
+
+    assert q.visible?(admin)
+    assert_include q, UserQuery.visible(admin).to_a
+
+    assert_not q.visible?(user)
+    assert_not_include q, UserQuery.visible(user)
+  end
+
+  def test_user_query_is_only_editable_by_admins
+    q = UserQuery.new(name: '_')
+
+    admin = User.admin(true).first
+    user = User.admin(false).first
+
+    assert q.editable_by?(admin)
+    assert_not q.editable_by?(user)
+  end
+
   def find_users_with_query(query)
     User.where(query.statement).to_a
   end