From c212df5b813863663df2a8ac8493652d4fcda95e Mon Sep 17 00:00:00 2001 From: Klaus Zanders Date: Mon, 2 Feb 2026 11:06:25 +0100 Subject: [PATCH] Use more visible scoping for users --- app/components/users/hover_card_component.rb | 2 +- app/controllers/placeholder_users/memberships_controller.rb | 3 ++- app/controllers/placeholder_users_controller.rb | 4 ++-- app/controllers/shares_controller.rb | 2 +- app/controllers/users/memberships_controller.rb | 3 ++- .../creation_wizard/create_artifact_work_package_service.rb | 2 +- app/views/oauth/applications/_form.html.erb | 2 +- app/views/oauth/applications/show.html.erb | 2 +- lib/api/v3/work_packages/watchers_api.rb | 4 ++-- modules/avatars/app/controllers/avatars/users_controller.rb | 2 +- modules/costs/app/controllers/costlog_controller.rb | 6 +++--- modules/reporting/app/helpers/reporting_helper.rb | 2 +- .../users/two_factor_devices_controller.rb | 3 ++- 13 files changed, 20 insertions(+), 17 deletions(-) diff --git a/app/components/users/hover_card_component.rb b/app/components/users/hover_card_component.rb index 52da4ee0ced..7b04ba87313 100644 --- a/app/components/users/hover_card_component.rb +++ b/app/components/users/hover_card_component.rb @@ -34,7 +34,7 @@ class Users::HoverCardComponent < ApplicationComponent def initialize(id:) super - @user = User.find_by(id:) + @user = User.visible.find_by(id:) end def render? diff --git a/app/controllers/placeholder_users/memberships_controller.rb b/app/controllers/placeholder_users/memberships_controller.rb index a979f2bce23..1ebce719388 100644 --- a/app/controllers/placeholder_users/memberships_controller.rb +++ b/app/controllers/placeholder_users/memberships_controller.rb @@ -30,13 +30,14 @@ class PlaceholderUsers::MembershipsController < ApplicationController include IndividualPrincipals::MembershipControllerMethods + layout "admin" before_action :authorize_global before_action :find_individual_principal def find_individual_principal - @individual_principal = PlaceholderUser.find(params[:placeholder_user_id]) + @individual_principal = PlaceholderUser.visible.find(params[:placeholder_user_id]) end def redirected_to_tab(_membership) diff --git a/app/controllers/placeholder_users_controller.rb b/app/controllers/placeholder_users_controller.rb index 77ba46d8b12..1b2caefff71 100644 --- a/app/controllers/placeholder_users_controller.rb +++ b/app/controllers/placeholder_users_controller.rb @@ -111,7 +111,7 @@ class PlaceholderUsersController < ApplicationController respond_to do |format| format.html do flash[:notice] = I18n.t(:notice_successful_update) - redirect_back(fallback_location: edit_placeholder_user_path(@placeholder_user)) + redirect_back_or_to(edit_placeholder_user_path(@placeholder_user)) end end else @@ -146,7 +146,7 @@ class PlaceholderUsersController < ApplicationController private def find_placeholder_user - @placeholder_user = PlaceholderUser.find(params[:id]) + @placeholder_user = PlaceholderUser.visible.find(params[:id]) end protected diff --git a/app/controllers/shares_controller.rb b/app/controllers/shares_controller.rb index 850dd72b3f8..51997db62b9 100644 --- a/app/controllers/shares_controller.rb +++ b/app/controllers/shares_controller.rb @@ -57,7 +57,7 @@ class SharesController < ApplicationController visible_shares_before_adding = sharing_strategy.shares.present? find_or_create_users(send_notification: send_notification?) do |member_params| - user = User.find_by(id: member_params[:user_id]) + user = User.visible.find_by(id: member_params[:user_id]) if user.present? && (user.locked? || user.deleted?) @errors.add(:base, I18n.t("sharing.warning_locked_user", user: user.name)) else diff --git a/app/controllers/users/memberships_controller.rb b/app/controllers/users/memberships_controller.rb index 5e012762f29..044717f84ed 100644 --- a/app/controllers/users/memberships_controller.rb +++ b/app/controllers/users/memberships_controller.rb @@ -30,13 +30,14 @@ class Users::MembershipsController < ApplicationController include IndividualPrincipals::MembershipControllerMethods + layout "admin" before_action :authorize_global before_action :find_individual_principal def find_individual_principal - @individual_principal = User.find(params[:user_id]) + @individual_principal = User.visible.find(params[:user_id]) end def redirected_to_tab(membership) diff --git a/app/services/projects/creation_wizard/create_artifact_work_package_service.rb b/app/services/projects/creation_wizard/create_artifact_work_package_service.rb index 2eec2841c0f..a065a9e98bc 100644 --- a/app/services/projects/creation_wizard/create_artifact_work_package_service.rb +++ b/app/services/projects/creation_wizard/create_artifact_work_package_service.rb @@ -182,7 +182,7 @@ module Projects::CreationWizard end def assignee_mention_tag - principal = Principal.find(assigned_to_id) + principal = Principal.visible.find(assigned_to_id) ApplicationController.helpers.content_tag( "mention", diff --git a/app/views/oauth/applications/_form.html.erb b/app/views/oauth/applications/_form.html.erb index e8ed22fc5fb..7d129855d93 100644 --- a/app/views/oauth/applications/_form.html.erb +++ b/app/views/oauth/applications/_form.html.erb @@ -110,7 +110,7 @@ See COPYRIGHT and LICENSE files for more details.

<% if @application.client_credentials_user_id %>

- <% user = User.find(@application.client_credentials_user_id) %> + <% user = User.visible.find(@application.client_credentials_user_id) %> <%= t("oauth.client_credentials_impersonation_set_to") %> <%= link_to_user user %>

diff --git a/app/views/oauth/applications/show.html.erb b/app/views/oauth/applications/show.html.erb index abf63bb0592..cbb765714aa 100644 --- a/app/views/oauth/applications/show.html.erb +++ b/app/views/oauth/applications/show.html.erb @@ -54,7 +54,7 @@ See COPYRIGHT and LICENSE files for more details. <% component.with_attribute( key: t("oauth.client_credentials_impersonation_set_to") ) do %> - <%= link_to_user User.find_by(id: user_id) %> + <%= link_to_user User.visible.find_by(id: user_id) %>
<%= t("oauth.client_credentials_impersonation_warning") %> <% end %> diff --git a/lib/api/v3/work_packages/watchers_api.rb b/lib/api/v3/work_packages/watchers_api.rb index 0d43ef2cc7b..bfa8f810e0a 100644 --- a/lib/api/v3/work_packages/watchers_api.rb +++ b/lib/api/v3/work_packages/watchers_api.rb @@ -77,7 +77,7 @@ module API authorize_in_project(:add_work_package_watchers, project: @work_package.project) end - user = User.find user_id + user = User.visible.find(user_id) Services::CreateWatcher.new(@work_package, user).run( success: ->(result) { status(200) unless result[:created] }, @@ -101,7 +101,7 @@ module API authorize_in_project(:delete_work_package_watchers, project: @work_package.project) end - user = User.find_by(id: params[:user_id]) + user = User.visible.find_by(id: params[:user_id]) raise ::API::Errors::NotFound unless user diff --git a/modules/avatars/app/controllers/avatars/users_controller.rb b/modules/avatars/app/controllers/avatars/users_controller.rb index 47355f881e2..ab0f79e212a 100644 --- a/modules/avatars/app/controllers/avatars/users_controller.rb +++ b/modules/avatars/app/controllers/avatars/users_controller.rb @@ -16,7 +16,7 @@ module ::Avatars end def find_user - @user = User.find(params[:id]) + @user = User.visible.find(params[:id]) end end end diff --git a/modules/costs/app/controllers/costlog_controller.rb b/modules/costs/app/controllers/costlog_controller.rb index 9ca6d5d4421..23cf25074cc 100644 --- a/modules/costs/app/controllers/costlog_controller.rb +++ b/modules/costs/app/controllers/costlog_controller.rb @@ -73,7 +73,7 @@ class CostlogController < ApplicationController elsif @cost_entry.save flash[:notice] = t(:notice_successful_update) - redirect_back fallback_location: polymorphic_path(@cost_entry.entity) + redirect_back_or_to(polymorphic_path(@cost_entry.entity)) else render action: "edit" @@ -90,7 +90,7 @@ class CostlogController < ApplicationController if request.referer.include?("cost_reports") redirect_to controller: "/cost_reports", action: :index else - redirect_back fallback_location: polymorphic_path(@cost_entry.entity) + redirect_back_or_to(polymorphic_path(@cost_entry.entity)) end end @@ -117,7 +117,7 @@ class CostlogController < ApplicationController @user = if @cost_entry.present? && @cost_entry.user_id == user_id @cost_entry.user else - User.find_by(id: user_id) + User.visible.find_by(id: user_id) end entity_id = cost_entry_params.delete(:entity_id) diff --git a/modules/reporting/app/helpers/reporting_helper.rb b/modules/reporting/app/helpers/reporting_helper.rb index 38fa948d25d..cac2ca97418 100644 --- a/modules/reporting/app/helpers/reporting_helper.rb +++ b/modules/reporting/app/helpers/reporting_helper.rb @@ -107,7 +107,7 @@ module ReportingHelper when :project_id link_to_project Project.find(value.to_i) when :user_id, :assigned_to_id, :author_id, :logged_by_id - link_to_user(User.find_by(id: value.to_i) || DeletedUser.first) + link_to_user(User.visible.find_by(id: value.to_i) || DeletedUser.first) when :tweek "#{I18n.t(:label_week)} ##{h value}" when :tmonth diff --git a/modules/two_factor_authentication/app/controllers/two_factor_authentication/users/two_factor_devices_controller.rb b/modules/two_factor_authentication/app/controllers/two_factor_authentication/users/two_factor_devices_controller.rb index 4966f0e0435..6f9cd28f2c8 100644 --- a/modules/two_factor_authentication/app/controllers/two_factor_authentication/users/two_factor_devices_controller.rb +++ b/modules/two_factor_authentication/app/controllers/two_factor_authentication/users/two_factor_devices_controller.rb @@ -14,6 +14,7 @@ module ::TwoFactorAuthentication # Password confirmation helpers and actions include PasswordConfirmation + before_action :check_password_confirmation, only: :make_default @@ -106,7 +107,7 @@ module ::TwoFactorAuthentication end def find_user - @user = User.find(params[:id]) + @user = User.visible.find(params[:id]) end def target_user