From a3fbdb8aea5b553bf059f87fb569a5f221ae8708 Mon Sep 17 00:00:00 2001
From: Marius Balteanu <marius.balteanu@zitec.com>
Date: Mon, 5 Jan 2026 08:25:50 +0000
Subject: [PATCH] Merge r24262 from trunk to 6.1-stable (#43635).

git-svn-id: https://svn.redmine.org/redmine/branches/6.1-stable@24263 e93f8b46-1217-0410-a6f0-8f06a7374b81
---
 app/models/issue.rb     |  4 ++--
 test/unit/issue_test.rb | 22 ++++++++++++++++++++++
 2 files changed, 24 insertions(+), 2 deletions(-)

diff --git a/app/models/issue.rb b/app/models/issue.rb
index 34f02b300..5da0b3395 100644
--- a/app/models/issue.rb
+++ b/app/models/issue.rb
@@ -213,7 +213,7 @@ class Issue < ApplicationRecord
 
   # Overrides Redmine::Acts::Attachable::InstanceMethods#attachments_editable?
   def attachments_editable?(user=User.current)
-    attributes_editable?(user)
+    visible?(user) && attributes_editable?(user)
   end
 
   # Returns true if user or current user is allowed to add notes to the issue
@@ -228,7 +228,7 @@ class Issue < ApplicationRecord
 
   # Overrides Redmine::Acts::Attachable::InstanceMethods#attachments_deletable?
   def attachments_deletable?(user=User.current)
-    attributes_editable?(user)
+    visible?(user) && attributes_editable?(user)
   end
 
   def initialize(attributes=nil, *args)
diff --git a/test/unit/issue_test.rb b/test/unit/issue_test.rb
index 5b286f264..be8fb0347 100644
--- a/test/unit/issue_test.rb
+++ b/test/unit/issue_test.rb
@@ -3628,4 +3628,26 @@ class IssueTest < ActiveSupport::TestCase
     r = Issue.like('issue today')
     assert_include Issue.find(7), r
   end
+
+  def test_attachments_editable_should_check_issue_visibility
+    # private issue
+    i = Issue.find(14)
+
+    # user jsmith has permission to view issue
+    assert i.attachments_editable?(User.find(2))
+
+    # user dlopper does not have permission to view issue
+    assert_not i.attachments_editable?(User.find(3))
+  end
+
+  def test_attachments_deletable_should_check_issue_visibility
+    # private issue
+    i = Issue.find(14)
+
+    # user jsmith has permission to view issue
+    assert i.attachments_deletable?(User.find(2))
+
+    # user dlopper does not have permission to view issue
+    assert_not i.attachments_deletable?(User.find(3))
+  end
 end