Use more visible scoping for users

app/components/users/hover_card_component.rb

@@ -34,7 +34,7 @@ class Users::HoverCardComponent < ApplicationComponent
   def initialize(id:)
     super
 
-    @user = User.find_by(id:)
+    @user = User.visible.find_by(id:)
   end
 
   def render?

app/controllers/placeholder_users/memberships_controller.rb

@@ -30,13 +30,14 @@
 
 class PlaceholderUsers::MembershipsController < ApplicationController
   include IndividualPrincipals::MembershipControllerMethods
+
   layout "admin"
 
   before_action :authorize_global
   before_action :find_individual_principal
 
   def find_individual_principal
-    @individual_principal = PlaceholderUser.find(params[:placeholder_user_id])
+    @individual_principal = PlaceholderUser.visible.find(params[:placeholder_user_id])
   end
 
   def redirected_to_tab(_membership)

app/controllers/placeholder_users_controller.rb

@@ -111,7 +111,7 @@ class PlaceholderUsersController < ApplicationController
       respond_to do |format|
         format.html do
           flash[:notice] = I18n.t(:notice_successful_update)
-          redirect_back(fallback_location: edit_placeholder_user_path(@placeholder_user))
+          redirect_back_or_to(edit_placeholder_user_path(@placeholder_user))
         end
       end
     else
@@ -146,7 +146,7 @@ class PlaceholderUsersController < ApplicationController
   private
 
   def find_placeholder_user
-    @placeholder_user = PlaceholderUser.find(params[:id])
+    @placeholder_user = PlaceholderUser.visible.find(params[:id])
   end
 
   protected

app/controllers/shares_controller.rb

@@ -57,7 +57,7 @@ class SharesController < ApplicationController
     visible_shares_before_adding = sharing_strategy.shares.present?
 
     find_or_create_users(send_notification: send_notification?) do |member_params|
-      user = User.find_by(id: member_params[:user_id])
+      user = User.visible.find_by(id: member_params[:user_id])
       if user.present? && (user.locked? || user.deleted?)
         @errors.add(:base, I18n.t("sharing.warning_locked_user", user: user.name))
       else

app/controllers/users/memberships_controller.rb

@@ -30,13 +30,14 @@
 
 class Users::MembershipsController < ApplicationController
   include IndividualPrincipals::MembershipControllerMethods
+
   layout "admin"
 
   before_action :authorize_global
   before_action :find_individual_principal
 
   def find_individual_principal
-    @individual_principal = User.find(params[:user_id])
+    @individual_principal = User.visible.find(params[:user_id])
   end
 
   def redirected_to_tab(membership)

app/services/projects/creation_wizard/create_artifact_work_package_service.rb

@@ -182,7 +182,7 @@ module Projects::CreationWizard
     end
 
     def assignee_mention_tag
-      principal = Principal.find(assigned_to_id)
+      principal = Principal.visible.find(assigned_to_id)
 
       ApplicationController.helpers.content_tag(
         "mention",

app/views/oauth/applications/_form.html.erb

@@ -110,7 +110,7 @@ See COPYRIGHT and LICENSE files for more details.
       </p>
       <% if @application.client_credentials_user_id %>
         <p class="form--field-instructions">
-          <% user = User.find(@application.client_credentials_user_id) %>
+          <% user = User.visible.find(@application.client_credentials_user_id) %>
           <span><%= t("oauth.client_credentials_impersonation_set_to") %></span>
           <%= link_to_user user %>
         </p>

app/views/oauth/applications/show.html.erb

@@ -54,7 +54,7 @@ See COPYRIGHT and LICENSE files for more details.
     <% component.with_attribute(
          key: t("oauth.client_credentials_impersonation_set_to")
        ) do %>
-      <%= link_to_user User.find_by(id: user_id) %>
+      <%= link_to_user User.visible.find_by(id: user_id) %>
       <br>
       <strong><%= t("oauth.client_credentials_impersonation_warning") %></strong>
     <% end %>

lib/api/v3/work_packages/watchers_api.rb

@@ -77,7 +77,7 @@ module API
               authorize_in_project(:add_work_package_watchers, project: @work_package.project)
             end
 
-            user = User.find user_id
+            user = User.visible.find(user_id)
 
             Services::CreateWatcher.new(@work_package, user).run(
               success: ->(result) { status(200) unless result[:created] },
@@ -101,7 +101,7 @@ module API
                 authorize_in_project(:delete_work_package_watchers, project: @work_package.project)
               end
 
-              user = User.find_by(id: params[:user_id])
+              user = User.visible.find_by(id: params[:user_id])
 
               raise ::API::Errors::NotFound unless user
 

modules/avatars/app/controllers/avatars/users_controller.rb

@@ -16,7 +16,7 @@ module ::Avatars
     end
 
     def find_user
-      @user = User.find(params[:id])
+      @user = User.visible.find(params[:id])
     end
   end
 end

modules/costs/app/controllers/costlog_controller.rb

@@ -73,7 +73,7 @@ class CostlogController < ApplicationController
     elsif @cost_entry.save
 
       flash[:notice] = t(:notice_successful_update)
-      redirect_back fallback_location: polymorphic_path(@cost_entry.entity)
+      redirect_back_or_to(polymorphic_path(@cost_entry.entity))
 
     else
       render action: "edit"
@@ -90,7 +90,7 @@ class CostlogController < ApplicationController
     if request.referer.include?("cost_reports")
       redirect_to controller: "/cost_reports", action: :index
     else
-      redirect_back fallback_location: polymorphic_path(@cost_entry.entity)
+      redirect_back_or_to(polymorphic_path(@cost_entry.entity))
     end
   end
 
@@ -117,7 +117,7 @@ class CostlogController < ApplicationController
     @user = if @cost_entry.present? && @cost_entry.user_id == user_id
               @cost_entry.user
             else
-              User.find_by(id: user_id)
+              User.visible.find_by(id: user_id)
             end
 
     entity_id = cost_entry_params.delete(:entity_id)

modules/reporting/app/helpers/reporting_helper.rb

@@ -107,7 +107,7 @@ module ReportingHelper
     when :project_id
       link_to_project Project.find(value.to_i)
     when :user_id, :assigned_to_id, :author_id, :logged_by_id
-      link_to_user(User.find_by(id: value.to_i) || DeletedUser.first)
+      link_to_user(User.visible.find_by(id: value.to_i) || DeletedUser.first)
     when :tweek
       "#{I18n.t(:label_week)} ##{h value}"
     when :tmonth

modules/two_factor_authentication/app/controllers/two_factor_authentication/users/two_factor_devices_controller.rb

@@ -14,6 +14,7 @@ module ::TwoFactorAuthentication
 
       # Password confirmation helpers and actions
       include PasswordConfirmation
+
       before_action :check_password_confirmation,
                     only: :make_default
 
@@ -106,7 +107,7 @@ module ::TwoFactorAuthentication
       end
 
       def find_user
-        @user = User.find(params[:id])
+        @user = User.visible.find(params[:id])
       end
 
       def target_user