Fixes request #33608: Preview of a linked artifact with a type does n…

…ot respect permissions

Change-Id: I94bab99f318a79e91f42b5fb67a6c2d45075ccba

plugins/tracker/include/Tracker/FormElement/Field/ArtifactLink/Type/ArtifactInTypeTablePresenter.php

@@ -37,6 +37,7 @@ class ArtifactInTypeTablePresenter
     public $artifactlink_field_id;
 
     public function __construct(
+        \PFUser $current_user,
         \Tuleap\Tracker\Artifact\Artifact $artifact,
         $html_classes,
         Tracker_FormElement_Field_ArtifactLink $field,
@@ -46,7 +47,6 @@ public function __construct(
         $tracker            = $artifact->getTracker();
         $project            = $tracker->getProject();
         $user_helper        = \UserHelper::instance();
-        $current_user       = \UserManager::instance()->getCurrentUser();
 
         $this->direct_link_to_artifact   = $artifact->fetchDirectLinkToArtifact();
         $this->project_public_name       = $project->getPublicName();

plugins/tracker/include/Tracker/FormElement/Field/ArtifactLink/Type/TypeTablePresenter.php

@@ -43,6 +43,7 @@ class TypeTablePresenter
     public const TABLE_ID_PREFIX = "tracker_report_table_type_";
 
     public function __construct(
+        \PFUser $current_user,
         TypePresenter $type,
         array $artifact_links,
         bool $is_reverse_artifact_links,
@@ -67,8 +68,12 @@ public function __construct(
         $this->artifact_links = [];
         $html_classes         = '';
         foreach ($artifact_links as $artifact_link) {
-            $artifact               = $art_factory->getArtifactById($artifact_link->getArtifactId());
+            $artifact = $art_factory->getArtifactByIdUserCanView($current_user, $artifact_link->getArtifactId());
+            if ($artifact === null) {
+                continue;
+            }
             $this->artifact_links[] = new ArtifactInTypeTablePresenter(
+                $current_user,
                 $artifact,
                 $html_classes,
                 $field,
@@ -80,11 +85,13 @@ public function __construct(
     }
 
     public static function buildForHeader(
+        \PFUser $current_user,
         TypePresenter $type_presenter,
         Tracker_FormElement_Field_ArtifactLink $field,
         bool $are_links_deletable,
     ): TypeTablePresenter {
         return new TypeTablePresenter(
+            $current_user,
             $type_presenter,
             [],
             false,

plugins/tracker/include/Tracker/FormElement/Tracker_FormElement_Field_ArtifactLink.php

@@ -565,7 +565,7 @@ class="tracker-form-element-artifactlink-renderer-async"
                         data-renderer-data="' . Codendi_HTMLPurifier::instance()->purify($json_encoded_data) . '"></div></div>';
             }
 
-            $html .= $this->fetchTypeTables($artifact_links_to_render, $reverse_artifact_links);
+            $html .= $this->fetchTypeTables($current_user, $artifact_links_to_render, $reverse_artifact_links);
         } else {
             $html .= $this->getNoValueLabelForLinks($artifact);
         }
@@ -609,7 +609,7 @@ private function fetchRendererAsArtifactLink(
         return $renderer->fetchAsArtifactLink($matching_ids, $this->getId(), $read_only, $prefill_removed_values, $prefill_edited_types, $reverse_artifact_links, false, $from_aid);
     }
 
-    private function fetchTypeTables(ArtifactLinksToRender $artifact_links_to_render, $is_reverse_artifact_links)
+    private function fetchTypeTables(\PFUser $current_user, ArtifactLinksToRender $artifact_links_to_render, $is_reverse_artifact_links): string
     {
         static $type_tables_cache = [];
         if (isset($type_tables_cache[spl_object_hash($artifact_links_to_render)][$is_reverse_artifact_links])) {
@@ -621,6 +621,7 @@ private function fetchTypeTables(ArtifactLinksToRender $artifact_links_to_render
             $html .= $template_renderer->renderToString(
                 'artifactlink-type-table',
                 new TypeTablePresenter(
+                    $current_user,
                     $artifact_links_per_type->getTypePresenter(),
                     $artifact_links_per_type->getArtifactLinks(),
                     $is_reverse_artifact_links,
@@ -734,7 +735,7 @@ public function process(Tracker_IDisplayTrackerLayout $layout, $request, $curren
                     }
                 }
 
-                $this->appendTypeTable($request, $result, $is_reverse);
+                $this->appendTypeTable($current_user, $request, $result, $is_reverse);
                 if ($result) {
                     $head = [];
                     $rows = [];
@@ -1735,7 +1736,7 @@ private function getTemplateRenderer()
         return TemplateRendererFactory::build()->getRenderer(TRACKER_TEMPLATE_DIR);
     }
 
-    private function appendTypeTable(Codendi_Request $request, array &$result, bool $is_reverse_artifact_links)
+    private function appendTypeTable(PFUser $current_user, Codendi_Request $request, array &$result, bool $is_reverse_artifact_links): void
     {
         if (! $this->getTracker()->isProjectAllowedToUseType()) {
             return;
@@ -1746,39 +1747,43 @@ private function appendTypeTable(Codendi_Request $request, array &$result, bool
             return;
         }
 
-        $type_presenter        = $this->getTypePresenterFactory()->getFromShortname($type_shortname);
+        $type_presenter = $this->getTypePresenterFactory()->getFromShortname($type_shortname);
+        if ($type_presenter === null) {
+            return;
+        }
         $key                   = "type_$type_shortname";
         $art_factory           = $this->getArtifactFactory();
         $artifact_html_classes = 'additional';
         $type_html             = '';
-        $head_html             = '';
         $ids                   = $request->get('ids');
+        $are_links_deletable   = $this->areLinksDeletable(
+            $type_presenter,
+            $is_reverse_artifact_links,
+        );
 
         foreach (explode(',', $ids) as $id) {
-            $artifact = $art_factory->getArtifactById(trim($id));
+            $artifact = $art_factory->getArtifactByIdUserCanView($current_user, (int) trim($id));
 
-            $are_links_deletable = $this->areLinksDeletable(
-                $type_presenter,
-                $is_reverse_artifact_links,
-            );
-
-            if (! is_null($artifact) && $artifact->getTracker()->isActive()) {
-                $type_html .= $this->getTemplateRenderer()->renderToString(
-                    'artifactlink-type-table-row',
-                    new ArtifactInTypeTablePresenter(
-                        $artifact,
-                        $artifact_html_classes,
-                        $this,
-                        $are_links_deletable,
-                    )
-                );
+            if ($artifact === null) {
+                continue;
             }
+
+            $type_html .= $this->getTemplateRenderer()->renderToString(
+                'artifactlink-type-table-row',
+                new ArtifactInTypeTablePresenter(
+                    $current_user,
+                    $artifact,
+                    $artifact_html_classes,
+                    $this,
+                    $are_links_deletable,
+                )
+            );
         }
 
         if ($type_html !== '') {
             $head_html = $this->getTemplateRenderer()->renderToString(
                 'artifactlink-type-table-head',
-                TypeTablePresenter::buildForHeader($type_presenter, $this, $are_links_deletable)
+                TypeTablePresenter::buildForHeader($current_user, $type_presenter, $this, $are_links_deletable)
             );
 
             $result[$key] = ['head' => $head_html, 'rows' => $type_html];