context leaks data user has no access to

[ftobler]

Summary

ViewCustomize.context.project.customFields leaks custom field values which the user does not have access to.

Description

ViewCustomize.context.project.customFields contains all defined custom fields for this project. It contains them even if the user does not have access to them. Access is defined for custom fields in administration->custom fields->project->visible:"to these roles only". The equivalent Redmine API request to /projects/[id].json does filter the fields access correctly.

I am no Ruby programmer nor do I have a Redmine instance to quickly test what I am saying, but I suspect a potential fix might be:
in view_hook.rb:144 change project.custom_field_values.. to project.visible_custom_field_values()... This is based on the existence of Redmines function def visible_custom_field_values(user = nil) in project.rb:1001.

Environment

• View customize plugin version 3.4.1
• Redmine version 5.0.3.stable
• Ruby version 2.7.4-p191 (2021-07-07) [x86_64-linux-gnu]
• Rails version 6.1.7
• Installed other plugins

[ftobler]

We were able to successfully test a fix. #120

[onozaty]

Thank you very much.
I would like to review the contents, add the test and then merge it.

[onozaty]

Released at v3.5.1

Thanks.