Improve issue visibility checks in attachment related methods (#43635).

git-svn-id: https://svn.redmine.org/redmine/trunk@24262 e93f8b46-1217-0410-a6f0-8f06a7374b81
2026-03-23 09:19:55 +00:00 · 2026-01-05 08:25:11 +00:00 · 2026-01-05 08:25:11 +00:00 · a2069c2982
commit a2069c2982
parent 1b0307b02d
2 changed files with 24 additions and 2 deletions
--- a/app/models/issue.rb
+++ b/app/models/issue.rb
@ -217,7 +217,7 @@ class Issue < ApplicationRecord

  # Overrides Redmine::Acts::Attachable::InstanceMethods#attachments_editable?
  def attachments_editable?(user=User.current)
-    attributes_editable?(user)
+    visible?(user) && attributes_editable?(user)
  end

  # Returns true if user or current user is allowed to add notes to the issue
@ -232,7 +232,7 @@ class Issue < ApplicationRecord

  # Overrides Redmine::Acts::Attachable::InstanceMethods#attachments_deletable?
  def attachments_deletable?(user=User.current)
-    attributes_editable?(user)
+    visible?(user) && attributes_editable?(user)
  end

  def initialize(attributes=nil, *args)
--- a/test/unit/issue_test.rb
+++ b/test/unit/issue_test.rb
@ -3628,4 +3628,26 @@ class IssueTest < ActiveSupport::TestCase
    r = Issue.like('issue today')
    assert_include Issue.find(7), r
  end
+
+  def test_attachments_editable_should_check_issue_visibility
+    # private issue
+    i = Issue.find(14)
+
+    # user jsmith has permission to view issue
+    assert i.attachments_editable?(User.find(2))
+
+    # user dlopper does not have permission to view issue
+    assert_not i.attachments_editable?(User.find(3))
+  end
+
+  def test_attachments_deletable_should_check_issue_visibility
+    # private issue
+    i = Issue.find(14)
+
+    # user jsmith has permission to view issue
+    assert i.attachments_deletable?(User.find(2))
+
+    # user dlopper does not have permission to view issue
+    assert_not i.attachments_deletable?(User.find(3))
+  end
 end