From 019f57e5c71e96b80b2fb1abc49c9fe4df50c705 2013-06-06 16:19:53
From: Jean-Philippe Lang <jp_lang@yahoo.fr>
Date: 2013-06-06 16:19:53
Subject: [PATCH] Fixed that journal details about issue relations may disclose issues that are not visible (#1005).

git-svn-id: svn+ssh://rubyforge.org/var/svn/redmine/trunk@11939 e93f8b46-1217-0410-a6f0-8f06a7374b81

---

diff --git a/app/helpers/issues_helper.rb b/app/helpers/issues_helper.rb
index 0f65bb4..d51c9cb 100644
--- a/app/helpers/issues_helper.rb
+++ b/app/helpers/issues_helper.rb
@@ -308,11 +308,11 @@ module IssuesHelper
       label = l(:label_attachment)
     when 'relation'
       if detail.value && !detail.old_value
-        rel_issue = Issue.find_by_id(detail.value)
+        rel_issue = Issue.visible.find_by_id(detail.value)
         value = rel_issue.nil? ? "#{l(:label_issue)} #{detail.value}" :
                   (no_html ? rel_issue : link_to_issue(rel_issue))
       elsif detail.old_value && !detail.value
-        rel_issue = Issue.find_by_id(detail.old_value)
+        rel_issue = Issue.visible.find_by_id(detail.old_value)
         old_value = rel_issue.nil? ? "#{l(:label_issue)} #{detail.old_value}" :
                           (no_html ? rel_issue : link_to_issue(rel_issue))
       end
diff --git a/test/unit/helpers/issues_helper_test.rb b/test/unit/helpers/issues_helper_test.rb
index 1c243d9..b49410f 100644
--- a/test/unit/helpers/issues_helper_test.rb
+++ b/test/unit/helpers/issues_helper_test.rb
@@ -227,6 +227,16 @@ class IssuesHelperTest < ActionView::TestCase
     assert_equal "<strong>Precedes</strong> <i>Issue #{non_existed_issue_number}</i> added", show_detail(detail, false)
   end
 
+  def test_show_detail_relation_added_should_not_disclose_issue_that_is_not_visible
+    issue = Issue.generate!(:is_private => true)
+    detail = JournalDetail.new(:property => 'relation',
+                               :prop_key => 'label_precedes',
+                               :value    => issue.id)
+
+    assert_equal "Precedes Issue #{issue.id} added", show_detail(detail, true)
+    assert_equal "<strong>Precedes</strong> <i>Issue #{issue.id}</i> added", show_detail(detail, false)
+  end
+
   def test_show_detail_delete_relation
     detail = JournalDetail.new(:property  => 'relation',
                                :prop_key  => 'label_precedes',
@@ -242,4 +252,14 @@ class IssuesHelperTest < ActionView::TestCase
     assert_equal "Precedes deleted (Issue 9999)", show_detail(detail, true)
     assert_equal "<strong>Precedes</strong> deleted (<i>Issue 9999</i>)", show_detail(detail, false)
   end
+
+  def test_show_detail_relation_deleted_should_not_disclose_issue_that_is_not_visible
+    issue = Issue.generate!(:is_private => true)
+    detail = JournalDetail.new(:property => 'relation',
+                               :prop_key => 'label_precedes',
+                               :old_value    => issue.id)
+
+    assert_equal "Precedes deleted (Issue #{issue.id})", show_detail(detail, true)
+    assert_equal "<strong>Precedes</strong> deleted (<i>Issue #{issue.id}</i>)", show_detail(detail, false)
+  end
 end