Fix autocomplete for users fails with 403 error when there are multiple objects from different projects (#36446).

Patch by Dmitry Makurin. git-svn-id: http://svn.redmine.org/redmine/trunk@21394 e93f8b46-1217-0410-a6f0-8f06a7374b81
2026-01-31 19:47:14 +00:00 · 2022-02-01 20:11:56 +00:00 · 2022-02-01 20:11:56 +00:00 · d2f64ee928
commit d2f64ee928
parent 5ea0340b8d
3 changed files with 42 additions and 3 deletions
--- a/app/controllers/watchers_controller.rb
+++ b/app/controllers/watchers_controller.rb
@ -134,8 +134,12 @@ class WatchersController < ApplicationController

  def users_for_new_watcher
    scope = nil
-    if params[:q].blank? && @project.present?
-      scope = @project.principals.assignable_watchers
+    if params[:q].blank?
+      if @project.present?
+        scope = @project.principals.assignable_watchers
+      elsif @projects.present? && @projects.size > 1
+        scope = Principal.joins(:members).where(:members => { :project_id => @projects }).assignable_watchers.distinct
+      end
    else
      scope = Principal.assignable_watchers.limit(100)
    end
--- a/app/views/watchers/_new.html.erb
+++ b/app/views/watchers/_new.html.erb
@ -31,7 +31,7 @@ title =
                 :controller => 'watchers',
                 :action => 'autocomplete_for_user',
                 :object_type => (watchables.present? ? watchables.first.class.name.underscore : nil),
-                 :object_id => (watchables.present? && watchables.size == 1 ? watchables.first.id : nil),
+                 :object_id => (watchables.present? ? watchables.map(&:id) : nil),
                 :project_id => @project
               )
             )}'
--- a/test/functional/watchers_controller_test.rb
+++ b/test/functional/watchers_controller_test.rb
@ -191,6 +191,20 @@ class WatchersControllerTest < Redmine::ControllerTest
    assert_match /ajax-modal/, response.body
  end

+  def test_new_with_multiple_objects_from_different_projects
+    @request.session[:user_id] = 2
+    get :new, :params => {
+      :object_id => [7, 9],
+      :object_type => 'issue'
+    }, :xhr => true
+    assert_response :success
+
+    assert_match(
+      %r{/watchers/autocomplete_for_user\?object_id%5B%5D=7&object_id%5B%5D=9&object_type=issue},
+      response.body
+    )
+  end
+
  def test_create_as_html
    @request.session[:user_id] = 2
    assert_difference('Watcher.count') do
@ -426,6 +440,27 @@ class WatchersControllerTest < Redmine::ControllerTest
    assert response.body.blank?
  end

+  def test_autocomplete_with_multiple_objects_from_different_projects
+    @request.session[:user_id] = 2
+
+    # 7 => eCookbook
+    # 9 => Private child of eCookbook
+    get :autocomplete_for_user, :params => {
+      :object_id => [7, 9],
+      :object_type => 'issue'
+    }, :xhr => true
+
+    assert_response :success
+
+    # All users from two projects eCookbook (7) and Private child of eCookbook (9)
+    assert_select 'input', :count => 5
+    assert_select 'input[name=?][value="1"]', 'watcher[user_ids][]'
+    assert_select 'input[name=?][value="2"]', 'watcher[user_ids][]'
+    assert_select 'input[name=?][value="3"]', 'watcher[user_ids][]'
+    assert_select 'input[name=?][value="8"]', 'watcher[user_ids][]'
+    assert_select 'input[name=?][value="10"]', 'watcher[user_ids][]'
+  end
+
  def test_append
    @request.session[:user_id] = 2
    assert_no_difference 'Watcher.count' do