diff --git a/app/components/projects/row_component.html.erb b/app/components/projects/row_component.html.erb index 079fdd97e470..0a88ea785638 100644 --- a/app/components/projects/row_component.html.erb +++ b/app/components/projects/row_component.html.erb @@ -70,7 +70,7 @@ See COPYRIGHT and LICENSE files for more details. <% end %> -<% if project.description.present? %> +<% if User.current.allowed_in_project?(:view_project, project) && project.description.present? %> diff --git a/app/components/projects/row_component.rb b/app/components/projects/row_component.rb index 9f2fdaf1d90f..0c284e983756 100644 --- a/app/components/projects/row_component.rb +++ b/app/components/projects/row_component.rb @@ -52,6 +52,8 @@ def column_value(column) end def custom_field_column(column) + return nil unless user_can_view_project? + cf = custom_field(column) custom_value = project.formatted_custom_value_for(cf) @@ -92,6 +94,8 @@ def name end def project_status + return nil unless user_can_view_project? + content = ''.html_safe status_code = project.status_code @@ -106,6 +110,8 @@ def project_status end def status_explanation + return nil unless user_can_view_project? + if project.status_explanation content_tag :div, helpers.format_text(project.status_explanation), class: 'wiki' end @@ -165,5 +171,9 @@ def additional_css_class(column) "format-#{cf.field_format}#{formattable}" end end + + def user_can_view_project? + User.current.allowed_in_project?(:view_project, project) + end end end diff --git a/spec/features/projects/projects_index_spec.rb b/spec/features/projects/projects_index_spec.rb index 315319d3847b..fa13ac9b6f75 100644 --- a/spec/features/projects/projects_index_spec.rb +++ b/spec/features/projects/projects_index_spec.rb @@ -35,7 +35,7 @@ shared_let(:manager) { create(:project_role, name: 'Manager') } shared_let(:developer) { create(:project_role, name: 'Developer') } - shared_let(:custom_field) { create(:project_custom_field) } + shared_let(:custom_field) { create(:text_project_custom_field) } shared_let(:invisible_custom_field) { create(:project_custom_field, visible: false) } shared_let(:project) do @@ -60,6 +60,8 @@ let(:news) { create(:news, project:) } let(:projects_page) { Pages::Projects::Index.new } + include ProjectStatusHelper + def load_and_open_filters(user) login_as(user) projects_page.visit! @@ -120,6 +122,41 @@ def expect_projects_in_order(*projects) end end + context 'for work package members', with_ee: %i[custom_fields_in_projects_list] do + shared_let(:work_package) { create(:work_package, project: development_project) } + shared_let(:user) do + create(:user, + member_with_permissions: { work_package => [:view_work_packages] }, + login: 'nerd', + firstname: 'Alan', + lastname: 'Turing') + end + + specify 'only public projects or those the user is member in a specific work package' do + Setting.enabled_projects_columns += [custom_field.column_name] + + development_project.update( + description: 'I am a nice project', + status_explanation: 'We are on track', + status_code: 'on_track', + custom_field_values: { custom_field.id => 'This is a test value' } + ) + + login_as(user) + visit projects_path + + expect(page).to have_text(development_project.name) + expect(page).to have_text(public_project.name) + expect(page).not_to have_text(project.name) + + # They should not see the description, status or custom fields for the project + expect(page).not_to have_text(development_project.description) + expect(page).not_to have_text(project_status_name(development_project.status_code)) + expect(page).not_to have_text(development_project.status_explanation) + expect(page).not_to have_text(development_project.custom_value_for(custom_field)) + end + end + context 'for admins' do before do project.update(created_at: 7.days.ago, description: 'I am a nice project')