From bf2ea91919936e2e817baf485342d685f3fe8a90 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Oliver=20G=C3=BCnther?= Date: Fri, 17 Apr 2026 10:55:43 +0200 Subject: [PATCH] Fix visibility scope of groups in members filters https://community.openproject.org/work_packages/74000 --- app/controllers/members_controller.rb | 2 +- app/controllers/users_controller.rb | 2 +- .../work_packages/filter/group_filter.rb | 2 +- spec/controllers/members_controller_spec.rb | 20 +++++++++++++++++++ .../work_packages/filter/group_filter_spec.rb | 4 ++-- spec/views/users/index.html.erb_spec.rb | 2 +- 6 files changed, 26 insertions(+), 6 deletions(-) diff --git a/app/controllers/members_controller.rb b/app/controllers/members_controller.rb index e969080bf0d0..fef8f2a04769 100644 --- a/app/controllers/members_controller.rb +++ b/app/controllers/members_controller.rb @@ -166,7 +166,7 @@ def members_table_options(roles) end def members_filter_options(roles) - groups = Group.all.sort + groups = Group.visible.sort shares = WorkPackageRole.all status = Members::UserFilterComponent.status_param(params) diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb index 66c45903af7e..01f21d2bb2e7 100644 --- a/app/controllers/users_controller.rb +++ b/app/controllers/users_controller.rb @@ -67,7 +67,7 @@ class UsersController < ApplicationController include PaginationHelper def index - @groups = Group.all.sort + @groups = Group.visible.sort @status = Users::UserFilterComponent.status_param params @users = Users::UserFilterComponent.filter params end diff --git a/app/models/queries/work_packages/filter/group_filter.rb b/app/models/queries/work_packages/filter/group_filter.rb index 853fc9ed5594..46a1578b1d2e 100644 --- a/app/models/queries/work_packages/filter/group_filter.rb +++ b/app/models/queries/work_packages/filter/group_filter.rb @@ -93,6 +93,6 @@ def user_ids_for_filtering end def all_groups - @all_groups ||= ::Group.all + @all_groups ||= ::Group.visible end end diff --git a/spec/controllers/members_controller_spec.rb b/spec/controllers/members_controller_spec.rb index 42c8abf0550e..5f4aaede6fdd 100644 --- a/spec/controllers/members_controller_spec.rb +++ b/spec/controllers/members_controller_spec.rb @@ -211,6 +211,26 @@ end end + describe "#index" do + let(:role) { create(:project_role, permissions: [:manage_members]) } + let!(:member) { create(:member, project:, user:, roles: [role]) } + + let!(:visible_group) { create(:group, members: [user]) } + let!(:hidden_group) { create(:group) } + + before { login_as(user) } + + it "only includes groups the user is a member of in the filter options" do + get :index, params: { project_id: project.id } + + expect(response).to be_successful + + groups = assigns(:members_filter_options)[:groups] + expect(groups).to include(visible_group) + expect(groups).not_to include(hidden_group) + end + end + describe "#create with reduced visibility" do let(:project_permissions) { %i[manage_members invite_members_by_email] } let!(:other_project) { create(:project) } diff --git a/spec/models/queries/work_packages/filter/group_filter_spec.rb b/spec/models/queries/work_packages/filter/group_filter_spec.rb index 17279d11abe8..7808cb6e90ad 100644 --- a/spec/models/queries/work_packages/filter/group_filter_spec.rb +++ b/spec/models/queries/work_packages/filter/group_filter_spec.rb @@ -59,7 +59,7 @@ describe "#allowed_values" do before do allow(Group) - .to receive(:all) + .to receive(:visible) .and_return [group] end @@ -81,7 +81,7 @@ before do allow(Group) - .to receive(:all) + .to receive(:visible) .and_return([group, group2]) instance.values = [group2.id.to_s] diff --git a/spec/views/users/index.html.erb_spec.rb b/spec/views/users/index.html.erb_spec.rb index 15fcb5af24b8..ff8d74da9b57 100644 --- a/spec/views/users/index.html.erb_spec.rb +++ b/spec/views/users/index.html.erb_spec.rb @@ -41,7 +41,7 @@ assign(:users, User.where(id: [admin.id, user.id])) assign(:status, "all") - assign(:groups, Group.all) + assign(:groups, Group.visible) without_partial_double_verification do allow(view).to receive_messages(current_user: admin, controller_name: "users", action_name: "index")