Merge r24262 from trunk to 6.1-stable (#43635).

git-svn-id: https://svn.redmine.org/redmine/branches/6.1-stable@24263 e93f8b46-1217-0410-a6f0-8f06a7374b81
2026-02-02 12:50:08 +01:00 · 2026-01-05 08:25:50 +00:00
parent aa228212f2
commit a3fbdb8aea
2 changed files with 24 additions and 2 deletions
--- a/app/models/issue.rb
+++ b/app/models/issue.rb
@@ -213,7 +213,7 @@ class Issue < ApplicationRecord

  # Overrides Redmine::Acts::Attachable::InstanceMethods#attachments_editable?
  def attachments_editable?(user=User.current)
-    attributes_editable?(user)
+    visible?(user) && attributes_editable?(user)
  end

  # Returns true if user or current user is allowed to add notes to the issue
@@ -228,7 +228,7 @@ class Issue < ApplicationRecord

  # Overrides Redmine::Acts::Attachable::InstanceMethods#attachments_deletable?
  def attachments_deletable?(user=User.current)
-    attributes_editable?(user)
+    visible?(user) && attributes_editable?(user)
  end

  def initialize(attributes=nil, *args)
--- a/test/unit/issue_test.rb
+++ b/test/unit/issue_test.rb
@@ -3628,4 +3628,26 @@ class IssueTest < ActiveSupport::TestCase
    r = Issue.like('issue today')
    assert_include Issue.find(7), r
  end
+
+  def test_attachments_editable_should_check_issue_visibility
+    # private issue
+    i = Issue.find(14)
+
+    # user jsmith has permission to view issue
+    assert i.attachments_editable?(User.find(2))
+
+    # user dlopper does not have permission to view issue
+    assert_not i.attachments_editable?(User.find(3))
+  end
+
+  def test_attachments_deletable_should_check_issue_visibility
+    # private issue
+    i = Issue.find(14)
+
+    # user jsmith has permission to view issue
+    assert i.attachments_deletable?(User.find(2))
+
+    # user dlopper does not have permission to view issue
+    assert_not i.attachments_deletable?(User.find(3))
+  end
 end