Read-only field permission for the project field is ignored if the current project has subprojects (#37685).

Patch by salman mp. git-svn-id: https://svn.redmine.org/redmine/trunk@21937 e93f8b46-1217-0410-a6f0-8f06a7374b81
2026-01-31 19:47:14 +00:00 · 2022-10-31 09:04:46 +00:00 · 2022-10-31 09:04:46 +00:00 · e1928aaf19
commit e1928aaf19
parent e881e11021
2 changed files with 31 additions and 5 deletions
--- a/app/helpers/issues_helper.rb
+++ b/app/helpers/issues_helper.rb
@ -764,12 +764,18 @@ module IssuesHelper
  end

  def projects_for_select(issue)
-    if issue.parent_issue_id.present?
-      issue.allowed_target_projects_for_subtask(User.current)
-    elsif @project && issue.new_record? && !issue.copy?
-      issue.allowed_target_projects(User.current, 'tree')
+    projects =
+      if issue.parent_issue_id.present?
+        issue.allowed_target_projects_for_subtask(User.current)
+      elsif @project && issue.new_record? && !issue.copy?
+        issue.allowed_target_projects(User.current, 'tree')
+      else
+        issue.allowed_target_projects(User.current)
+      end
+    if issue.read_only_attribute_names(User.current).include?('project_id')
+      params['project_id'].present? ? Project.where(identifier: params['project_id']) : projects
    else
-      issue.allowed_target_projects(User.current)
+      projects
    end
  end
 end
--- a/test/functional/issues_controller_test.rb
+++ b/test/functional/issues_controller_test.rb
@ -5665,6 +5665,26 @@ class IssuesControllerTest < Redmine::ControllerTest
    assert_select 'select[name=?]', 'issue[project_id]', 0
  end

+  def test_new_should_hide_project_if_user_is_not_allowed_to_change_project_in_hierarchy_projects
+    WorkflowPermission.create!(:role_id => 1, :tracker_id => 1, :old_status_id => 1,
+                               :field_name => 'project_id', :rule => 'readonly')
+
+    @request.session[:user_id] = 2
+    get(:new, :params => { :tracker_id => 1, :project_id => 1 })
+    assert_response :success
+    assert_select 'select[name=?]', 'issue[project_id]', 0
+  end
+
+  def test_new_should_show_project_if_user_is_not_allowed_to_change_project_global_new_issue
+    WorkflowPermission.create!(:role_id => 1, :tracker_id => 1, :old_status_id => 1,
+                               :field_name => 'project_id', :rule => 'readonly')
+
+    @request.session[:user_id] = 2
+    get(:new, :params => { :tracker_id => 1})
+    assert_response :success
+    assert_select 'select[name=?]', 'issue[project_id]'
+  end
+
  def test_edit_should_not_hide_project_when_user_changes_the_project_even_if_project_is_readonly_on_target_project
    WorkflowPermission.create!(:role_id => 1, :tracker_id => 1, :old_status_id => 1,
                               :field_name => 'project_id', :rule => 'readonly')