Check issue visibility inside Journal#add_watcher (#2716).

git-svn-id: https://svn.redmine.org/redmine/trunk@24314 e93f8b46-1217-0410-a6f0-8f06a7374b81
2026-01-31 11:50:13 +01:00 · 2026-01-15 06:57:41 +00:00
parent 4bdac82572
commit 473270b63a
2 changed files with 30 additions and 7 deletions
--- a/app/models/journal.rb
+++ b/app/models/journal.rb
@@ -348,22 +348,27 @@ class Journal < ApplicationRecord
  end

  def add_watcher
-    if user&.active? &&
-        user.allowed_to?(:add_issue_watchers, project) &&
-        user.pref.auto_watch_on?('issue_contributed_to') &&
-        !Watcher.any_watched?(Array.wrap(journalized), user)
+    if user.is_a?(User) &&
+       user.pref.auto_watch_on?('issue_contributed_to') &&
+       valid_watcher?(user)
      journalized.set_watcher(user, true)
    end

    assignee = journalized.assigned_to
-    if assignee.is_a?(User) && assignee&.active? &&
-       assignee.allowed_to?(:add_issue_watchers, project) &&
+    if assignee.is_a?(User) &&
       assignee.pref.auto_watch_on?('issue_assigned_to_me') &&
-        !Watcher.any_watched?(Array.wrap(journalized), assignee)
+       valid_watcher?(assignee)
      journalized.set_watcher(assignee, true)
    end
  end

+  def valid_watcher?(user)
+    user.active? &&
+      user.allowed_to?(:add_issue_watchers, journalized.project) &&
+      journalized.valid_watcher?(user) &&
+      !journalized.watched_by?(user)
+  end
+
  def send_notification
    if notify? &&
        (
--- a/test/unit/journal_test.rb
+++ b/test/unit/journal_test.rb
@@ -292,4 +292,22 @@ class JournalTest < ActiveSupport::TestCase
    # Role "Developer" does not have the "View private notes" permission
    assert_equal [1, 2], journal.notified_mentions.map(&:id).sort
  end
+
+  def test_create_should_not_add_watcher_if_user_cannot_view_issue
+    user = User.generate!
+    project = Project.generate!(:is_public => false)
+    issue = Issue.generate!(:project => project)
+
+    assert !user.allowed_to?(:view_issues, project)
+
+    user.pref.auto_watch_on = ['issue_contributed_to']
+    user.save
+
+    journal = Journal.new(:journalized => issue, :notes => 'notes', :user => user)
+
+    assert_no_difference 'Watcher.count' do
+      assert journal.save
+    end
+    assert !journal.journalized.watched_by?(user)
+  end
 end