Merge pull request #14370 from opf/fix-project-index

Do not display project infos on the index page

app/components/projects/row_component.html.erb

@@ -70,7 +70,7 @@ See COPYRIGHT and LICENSE files for more details.
     <% end %>
   </td>
 </tr>
-<% if project.description.present? %>
+<% if User.current.allowed_in_project?(:view_project, project) && project.description.present? %>
   <tr class="project-description <%= project_css_classes %> <%= row_css_level_classes %> <%= params[:expand] == 'all' ? '-expanded' : '' %>"
       data-project-target="descriptionRow"
       data-project-id="<%= project.id %>">

app/components/projects/row_component.rb

@@ -52,6 +52,8 @@ def column_value(column)
     end
 
     def custom_field_column(column)
+      return nil unless user_can_view_project?
+
       cf = custom_field(column)
       custom_value = project.formatted_custom_value_for(cf)
 
@@ -92,6 +94,8 @@ def name
     end
 
     def project_status
+      return nil unless user_can_view_project?
+
       content = ''.html_safe
 
       status_code = project.status_code
@@ -106,6 +110,8 @@ def project_status
     end
 
     def status_explanation
+      return nil unless user_can_view_project?
+
       if project.status_explanation
         content_tag :div, helpers.format_text(project.status_explanation), class: 'wiki'
       end
@@ -165,5 +171,9 @@ def additional_css_class(column)
         "format-#{cf.field_format}#{formattable}"
       end
     end
+
+    def user_can_view_project?
+      User.current.allowed_in_project?(:view_project, project)
+    end
   end
 end

spec/features/projects/projects_index_spec.rb

@@ -35,7 +35,7 @@
   shared_let(:manager)   { create(:project_role, name: 'Manager') }
   shared_let(:developer) { create(:project_role, name: 'Developer') }
 
-  shared_let(:custom_field) { create(:project_custom_field) }
+  shared_let(:custom_field) { create(:text_project_custom_field) }
   shared_let(:invisible_custom_field) { create(:project_custom_field, visible: false) }
 
   shared_let(:project) do
@@ -60,6 +60,8 @@
   let(:news) { create(:news, project:) }
   let(:projects_page) { Pages::Projects::Index.new }
 
+  include ProjectStatusHelper
+
   def load_and_open_filters(user)
     login_as(user)
     projects_page.visit!
@@ -120,6 +122,41 @@ def expect_projects_in_order(*projects)
       end
     end
 
+    context 'for work package members', with_ee: %i[custom_fields_in_projects_list] do
+      shared_let(:work_package) { create(:work_package, project: development_project) }
+      shared_let(:user) do
+        create(:user,
+               member_with_permissions: { work_package => [:view_work_packages] },
+               login: 'nerd',
+               firstname: 'Alan',
+               lastname: 'Turing')
+      end
+
+      specify 'only public projects or those the user is member in a specific work package' do
+        Setting.enabled_projects_columns += [custom_field.column_name]
+
+        development_project.update(
+          description: 'I am a nice project',
+          status_explanation: 'We are on track',
+          status_code: 'on_track',
+          custom_field_values: { custom_field.id => 'This is a test value' }
+        )
+
+        login_as(user)
+        visit projects_path
+
+        expect(page).to have_text(development_project.name)
+        expect(page).to have_text(public_project.name)
+        expect(page).not_to have_text(project.name)
+
+        # They should not see the description, status or custom fields for the project
+        expect(page).not_to have_text(development_project.description)
+        expect(page).not_to have_text(project_status_name(development_project.status_code))
+        expect(page).not_to have_text(development_project.status_explanation)
+        expect(page).not_to have_text(development_project.custom_value_for(custom_field))
+      end
+    end
+
     context 'for admins' do
       before do
         project.update(created_at: 7.days.ago, description: 'I am a nice project')