Skip to content

Commit

Permalink
[#57077] Admin only User Custom field is visible to non-admin users
Browse files Browse the repository at this point in the history
  • Loading branch information
dombesz committed Aug 12, 2024
1 parent 806ba8f commit 87bd93a
Show file tree
Hide file tree
Showing 2 changed files with 35 additions and 0 deletions.
9 changes: 9 additions & 0 deletions app/models/user.rb
Original file line number Diff line number Diff line change
Expand Up @@ -187,6 +187,15 @@ def mail=(arg)
write_attribute(:mail, arg.to_s.strip)
end

def self.available_custom_fields(_user)
user = User.current
RequestStore.fetch(:"#{name.underscore}_custom_fields_#{user.id}_#{user.admin?}") do
scope = CustomField.where(type: "#{name}CustomField").order(:position)
scope = scope.where(admin_only: false) if !user.admin?
scope
end
end

def self.search_in_project(query, options)
options.fetch(:project).users.like(query)
end
Expand Down
26 changes: 26 additions & 0 deletions spec/models/user_spec.rb
Original file line number Diff line number Diff line change
Expand Up @@ -1016,4 +1016,30 @@ def build_user_double_with_expired_password(is_expired)
let(:model_instance) { user }
let(:custom_field) { create(:user_custom_field, :string) }
end

describe ".available_custom_fields" do
let(:admin) { build_stubbed(:admin) }
let(:user) { build_stubbed(:user) }

shared_let(:user_cf) { create(:user_custom_field) }
shared_let(:admin_user_cf) { create(:user_custom_field, admin_only: true) }

context "for an admin" do
current_user { admin }

it "returns all fields including admin-only" do
expect(user.available_custom_fields)
.to contain_exactly(user_cf, admin_user_cf)
end
end

context "for a member" do
current_user { user }

it "does not return admin-only field" do
expect(user.available_custom_fields)
.to contain_exactly(user_cf)
end
end
end
end

0 comments on commit 87bd93a

Please sign in to comment.