diff --git a/app/components/projects/row_component.html.erb b/app/components/projects/row_component.html.erb
index 079fdd97e470..0a88ea785638 100644
--- a/app/components/projects/row_component.html.erb
+++ b/app/components/projects/row_component.html.erb
@@ -70,7 +70,7 @@ See COPYRIGHT and LICENSE files for more details.
<% end %>
-<% if project.description.present? %>
+<% if User.current.allowed_in_project?(:view_project, project) && project.description.present? %>
diff --git a/app/components/projects/row_component.rb b/app/components/projects/row_component.rb
index 9f2fdaf1d90f..0c284e983756 100644
--- a/app/components/projects/row_component.rb
+++ b/app/components/projects/row_component.rb
@@ -52,6 +52,8 @@ def column_value(column)
end
def custom_field_column(column)
+ return nil unless user_can_view_project?
+
cf = custom_field(column)
custom_value = project.formatted_custom_value_for(cf)
@@ -92,6 +94,8 @@ def name
end
def project_status
+ return nil unless user_can_view_project?
+
content = ''.html_safe
status_code = project.status_code
@@ -106,6 +110,8 @@ def project_status
end
def status_explanation
+ return nil unless user_can_view_project?
+
if project.status_explanation
content_tag :div, helpers.format_text(project.status_explanation), class: 'wiki'
end
@@ -165,5 +171,9 @@ def additional_css_class(column)
"format-#{cf.field_format}#{formattable}"
end
end
+
+ def user_can_view_project?
+ User.current.allowed_in_project?(:view_project, project)
+ end
end
end
diff --git a/spec/features/projects/projects_index_spec.rb b/spec/features/projects/projects_index_spec.rb
index 315319d3847b..fa13ac9b6f75 100644
--- a/spec/features/projects/projects_index_spec.rb
+++ b/spec/features/projects/projects_index_spec.rb
@@ -35,7 +35,7 @@
shared_let(:manager) { create(:project_role, name: 'Manager') }
shared_let(:developer) { create(:project_role, name: 'Developer') }
- shared_let(:custom_field) { create(:project_custom_field) }
+ shared_let(:custom_field) { create(:text_project_custom_field) }
shared_let(:invisible_custom_field) { create(:project_custom_field, visible: false) }
shared_let(:project) do
@@ -60,6 +60,8 @@
let(:news) { create(:news, project:) }
let(:projects_page) { Pages::Projects::Index.new }
+ include ProjectStatusHelper
+
def load_and_open_filters(user)
login_as(user)
projects_page.visit!
@@ -120,6 +122,41 @@ def expect_projects_in_order(*projects)
end
end
+ context 'for work package members', with_ee: %i[custom_fields_in_projects_list] do
+ shared_let(:work_package) { create(:work_package, project: development_project) }
+ shared_let(:user) do
+ create(:user,
+ member_with_permissions: { work_package => [:view_work_packages] },
+ login: 'nerd',
+ firstname: 'Alan',
+ lastname: 'Turing')
+ end
+
+ specify 'only public projects or those the user is member in a specific work package' do
+ Setting.enabled_projects_columns += [custom_field.column_name]
+
+ development_project.update(
+ description: 'I am a nice project',
+ status_explanation: 'We are on track',
+ status_code: 'on_track',
+ custom_field_values: { custom_field.id => 'This is a test value' }
+ )
+
+ login_as(user)
+ visit projects_path
+
+ expect(page).to have_text(development_project.name)
+ expect(page).to have_text(public_project.name)
+ expect(page).not_to have_text(project.name)
+
+ # They should not see the description, status or custom fields for the project
+ expect(page).not_to have_text(development_project.description)
+ expect(page).not_to have_text(project_status_name(development_project.status_code))
+ expect(page).not_to have_text(development_project.status_explanation)
+ expect(page).not_to have_text(development_project.custom_value_for(custom_field))
+ end
+ end
+
context 'for admins' do
before do
project.update(created_at: 7.days.ago, description: 'I am a nice project')