Check view watchers permission when copying issues (#40946).

Patch by Jens Kraemer (@jkraemer). git-svn-id: https://svn.redmine.org/redmine/trunk@22914 e93f8b46-1217-0410-a6f0-8f06a7374b81
2026-01-31 11:37:14 +00:00 · 2024-07-08 21:30:36 +00:00 · 2024-07-08 21:30:36 +00:00 · f9f486bdd0
commit f9f486bdd0
parent 2d20811f40
2 changed files with 22 additions and 2 deletions
--- a/app/models/issue.rb
+++ b/app/models/issue.rb
@ -314,9 +314,9 @@ class Issue < ApplicationRecord
        attachement.copy(:container => self)
      end
    end
+
    unless options[:watchers] == false
-      self.watcher_user_ids =
-        issue.watcher_users.select{|u| u.status == User::STATUS_ACTIVE}.map(&:id)
+      self.watcher_user_ids = issue.visible_watcher_users.select{|u| u.status == User::STATUS_ACTIVE}.map(&:id)
    end
    @copied_from = issue
    @copy_options = options
--- a/test/unit/issue_test.rb
+++ b/test/unit/issue_test.rb
@ -1498,6 +1498,8 @@ class IssueTest < ActiveSupport::TestCase
    user2 = User.find(3)
    issue = Issue.find(8)

+    User.current = user
+
    Watcher.create!(:user => user, :watchable => issue)
    Watcher.create!(:user => user2, :watchable => issue)

@ -1511,6 +1513,24 @@ class IssueTest < ActiveSupport::TestCase
    assert !issue.watched_by?(user2)
  end

+  def test_copy_should_not_copy_watchers_without_permission
+    user = User.find(2)
+    user2 = User.find(3)
+    issue = Issue.find(8)
+
+    Role.find(1).remove_permission! :view_issue_watchers
+    User.current = user
+
+    Watcher.create!(:user => user, :watchable => issue)
+    Watcher.create!(:user => user2, :watchable => issue)
+
+    issue = Issue.new.copy_from(8)
+
+    assert issue.save
+    assert issue.watched_by?(user)
+    assert !issue.watched_by?(user2)
+  end
+
  def test_copy_should_clear_subtasks_target_version_if_locked_or_closed
    version = Version.new(:project => Project.find(1), :name => '2.1')
    version.save!