From 3c5f0af44d711c356b4143cfe37f9b7091df0c67 Mon Sep 17 00:00:00 2001
From: Marius Balteanu <marius.balteanu@zitec.com>
Date: Sun, 9 Mar 2025 23:22:46 +0000
Subject: [PATCH] Ensure that a UserQuery can only be viewed or edited by
 admins (#42352).

Patch by Holger Just (user:hjust).

git-svn-id: https://svn.redmine.org/redmine/trunk@23530 e93f8b46-1217-0410-a6f0-8f06a7374b81
---
 app/models/user_query.rb     | 17 +++++++++++++++++
 test/unit/user_query_test.rb | 24 ++++++++++++++++++++++++
 2 files changed, 41 insertions(+)

diff --git a/app/models/user_query.rb b/app/models/user_query.rb
index 2d605b902..fc8ba6463 100644
--- a/app/models/user_query.rb
+++ b/app/models/user_query.rb
@@ -34,6 +34,15 @@ class UserQuery < Query
     QueryAssociationColumn.new(:auth_source, :name, caption: :field_auth_source, sortable: "#{AuthSource.table_name}.name")
   ]
 
+  def self.visible(*args)
+    user = args.shift || User.current
+    if user.admin?
+      where('1=1')
+    else
+      where('1=0')
+    end
+  end
+
   def initialize(attributes=nil, *args)
     super(attributes)
     self.filters ||= { 'status' => {operator: "=", values: [User::STATUS_ACTIVE]} }
@@ -65,6 +74,14 @@ class UserQuery < Query
     add_custom_fields_filters(user_custom_fields)
   end
 
+  def visible?(user=User.current)
+    user&.admin?
+  end
+
+  def editable_by?(user)
+    user&.admin?
+  end
+
   def auth_sources_values
     AuthSource.order(name: :asc).pluck(:name, :id)
   end
diff --git a/test/unit/user_query_test.rb b/test/unit/user_query_test.rb
index 1f8ce3464..ef31ba2c2 100644
--- a/test/unit/user_query_test.rb
+++ b/test/unit/user_query_test.rb
@@ -209,6 +209,30 @@ class UserQueryTest < ActiveSupport::TestCase
     assert_equal [2, 1], users.pluck(:id)
   end
 
+  def test_user_query_is_only_visible_to_admins
+    q = UserQuery.new(name: '_')
+    assert q.save
+
+    admin = User.admin(true).first
+    user = User.admin(false).first
+
+    assert q.visible?(admin)
+    assert_include q, UserQuery.visible(admin).to_a
+
+    assert_not q.visible?(user)
+    assert_not_include q, UserQuery.visible(user)
+  end
+
+  def test_user_query_is_only_editable_by_admins
+    q = UserQuery.new(name: '_')
+
+    admin = User.admin(true).first
+    user = User.admin(false).first
+
+    assert q.editable_by?(admin)
+    assert_not q.editable_by?(user)
+  end
+
   def find_users_with_query(query)
     User.where(query.statement).to_a
   end