Consider only roles with either add_issues or edit_issues permissions for any status transitions (#37635).

Patch by Holger Just. git-svn-id: https://svn.redmine.org/redmine/trunk@21817 e93f8b46-1217-0410-a6f0-8f06a7374b81
2026-01-18 21:43:01 +01:00 · 2022-09-17 06:14:27 +00:00
parent 12c7061416
commit d4b7634cc6
2 changed files with 29 additions and 4 deletions
--- a/app/models/issue.rb
+++ b/app/models/issue.rb
@@ -677,9 +677,7 @@ class Issue < ActiveRecord::Base
  def workflow_rule_by_attribute(user=nil)
    return @workflow_rule_by_attribute if @workflow_rule_by_attribute && user.nil?

-    user_real = user || User.current
-    roles = user_real.admin ? Role.all.to_a : user_real.roles_for_project(project)
-    roles = roles.select(&:consider_workflow?)
+    roles = roles_for_workflow(user || User.current)
    return {} if roles.empty?

    result = {}
@@ -1066,7 +1064,7 @@ class Issue < ActiveRecord::Base
    statuses = []
    statuses += IssueStatus.new_statuses_allowed(
      initial_status,
-      user.admin ? Role.all.to_a : user.roles_for_project(project),
+      roles_for_workflow(user),
      tracker,
      author == user,
      assignee_transitions_allowed
@@ -2053,4 +2051,9 @@ class Issue < ActiveRecord::Base
      Project
    end
  end
+
+  def roles_for_workflow(user)
+    roles = user.admin ? Role.all.to_a : user.roles_for_project(project)
+    roles.select(&:consider_workflow?)
+  end
 end
--- a/test/unit/issue_test.rb
+++ b/test/unit/issue_test.rb
@@ -859,6 +859,28 @@ class IssueTest < ActiveSupport::TestCase
    assert_equal expected_statuses, issue.new_statuses_allowed_to(admin)
  end

+  def test_new_statuses_allowed_to_should_only_return_transitions_of_considered_workflows
+    issue = Issue.find(9)
+
+    WorkflowTransition.delete_all
+    WorkflowTransition.create!(:role_id => 1, :tracker_id => 1, :old_status_id => 1, :new_status_id => 2)
+
+    developer = Role.find(2)
+    developer.remove_permission! :edit_issues
+    developer.remove_permission! :add_issues
+    assert !developer.consider_workflow?
+    WorkflowTransition.create!(:role_id => 2, :tracker_id => 1, :old_status_id => 1, :new_status_id => 3)
+
+    # status 3 is not displayed
+    expected_statuses = IssueStatus.where(:id => [1, 2])
+
+    admin = User.find(1)
+    assert_equal expected_statuses, issue.new_statuses_allowed_to(admin)
+
+    author = User.find(8)
+    assert_equal expected_statuses, issue.new_statuses_allowed_to(author)
+  end
+
  def test_new_statuses_allowed_to_should_return_allowed_statuses_when_copying
    Tracker.find(1).generate_transitions! :role_id => 1, :clear => true, 0 => [1, 3]