Consistently load work packages via visible scope

app/controllers/work_package_hierarchy_relations_controller.rb

@@ -65,7 +65,7 @@ class WorkPackageHierarchyRelationsController < ApplicationController
   end
 
   def destroy
-    related = WorkPackage.find(params[:id])
+    related = WorkPackage.visible.find(params[:id])
     service_result =
       if related.parent_id == @work_package.id
         set_relation(child: related, parent: nil)
@@ -101,7 +101,7 @@ class WorkPackageHierarchyRelationsController < ApplicationController
   def related_work_package
     @related_work_package ||=
       if params[:work_package][:id].present?
-        WorkPackage.find(params[:work_package][:id])
+        WorkPackage.visible.find(params[:work_package][:id])
       else
         WorkPackage.new
       end

app/controllers/work_package_relations_controller.rb

@@ -127,11 +127,11 @@ class WorkPackageRelationsController < ApplicationController
   end
 
   def set_work_package
-    @work_package = WorkPackage.find(params[:work_package_id])
+    @work_package = WorkPackage.visible.find(params[:work_package_id])
   end
 
   def set_relation
-    @relation = @work_package.relations.find(params[:id])
+    @relation = @work_package.relations.visible.find(params[:id])
   end
 
   def create_relation_params

app/controllers/work_package_relations_tab_controller.rb

@@ -51,7 +51,7 @@ class WorkPackageRelationsTabController < ApplicationController
   private
 
   def set_work_package
-    @work_package = WorkPackage.find(params[:work_package_id])
+    @work_package = WorkPackage.visible.find(params[:work_package_id])
     @project = @work_package.project # required for authorization via before_action
   end
 end

app/controllers/work_packages/activities_tab_controller.rb

@@ -227,7 +227,7 @@ class WorkPackages::ActivitiesTabController < ApplicationController
   end
 
   def find_work_package
-    @work_package = WorkPackage.find(params[:work_package_id])
+    @work_package = WorkPackage.visible.find(params[:work_package_id])
   rescue ActiveRecord::RecordNotFound
     respond_with_error(I18n.t("label_not_found"))
   end

app/models/project/pdf_export/project_initiation.rb

@@ -188,12 +188,12 @@ class Project::PDFExport::ProjectInitiation < Exports::Exporter
            .where(id: enabled_in_wizard_ids)
            .group_by(&:project_custom_field_section)
            .map do |section, custom_fields|
-      {
-        caption: section.name,
-        fields: custom_fields.map do |custom_field|
-          { key: "cf_#{custom_field.id}", caption: custom_field.name, custom_field: }
-        end
-      }
+             {
+               caption: section.name,
+               fields: custom_fields.map do |custom_field|
+                 { key: "cf_#{custom_field.id}", caption: custom_field.name, custom_field: }
+               end
+             }
     end
   end
 
@@ -284,7 +284,7 @@ class Project::PDFExport::ProjectInitiation < Exports::Exporter
   def project_initiation_work_package_status
     return nil if project.project_creation_wizard_artifact_work_package_id.blank?
 
-    work_package = WorkPackage.find_by(id: project.project_creation_wizard_artifact_work_package_id)
+    work_package = WorkPackage.visible.find_by(id: project.project_creation_wizard_artifact_work_package_id)
     work_package&.status
   end
 

app/models/queries/principals/filters/internal_mentionable_on_work_package_filter.rb

@@ -82,6 +82,6 @@ class Queries::Principals::Filters::InternalMentionableOnWorkPackageFilter <
   end
 
   def work_package
-    WorkPackage.find(values.first)
+    WorkPackage.visible.find(values.first)
   end
 end

app/models/queries/work_packages/filter/relatable_filter.rb

@@ -49,7 +49,7 @@ class Queries::WorkPackages::Filter::RelatableFilter < Queries::WorkPackages::Fi
   end
 
   def apply_to(query_scope)
-    query_scope.relatable(WorkPackage.find_by(id: values.first), scope_operator)
+    query_scope.relatable(WorkPackage.visible.find_by(id: values.first), scope_operator)
   end
 
   private

app/services/mcp_resources/work_package.rb

@@ -37,9 +37,8 @@ module McpResources
     default_description "Access work packages of this OpenProject instance."
 
     def read(id:)
-      work_package = ::WorkPackage.find_by(id:)
+      work_package = ::WorkPackage.visible.find_by(id:)
       return nil if work_package.nil?
-      return nil unless current_user.allowed_in_work_package?(:view_work_packages, work_package)
 
       API::V3::WorkPackages::WorkPackageRepresenter.create(work_package, current_user:, embed_links: true)
     end

app/services/work_packages/update_service.rb

@@ -142,7 +142,7 @@ class WorkPackages::UpdateService < BaseServices::Update
 
     # if parent changed, the former parent needs to be rescheduled too.
     if parent_just_changed?(work_package)
-      former_parent = WorkPackage.find_by(id: work_package.parent_id_before_last_save)
+      former_parent = WorkPackage.visible(user).find_by(id: work_package.parent_id_before_last_save)
       work_packages_to_reschedule << former_parent if former_parent
     end
 
@@ -165,11 +165,11 @@ class WorkPackages::UpdateService < BaseServices::Update
     service_calls
       .group_by { |sc| sc.result.id }
       .map do |(_, same_work_package_calls)|
-      same_work_package_calls.pop.tap do |master|
-        same_work_package_calls.each do |sc|
-          master.result.attributes = sc.result.changes.transform_values(&:last)
+        same_work_package_calls.pop.tap do |master|
+          same_work_package_calls.each do |sc|
+            master.result.attributes = sc.result.changes.transform_values(&:last)
+          end
         end
-      end
     end
   end
 end

lib/api/v3/work_packages/work_package_representer.rb

@@ -596,7 +596,7 @@ module API
                                               expected_version: "3",
                                               expected_namespace: "work_packages"
 
-                                  WorkPackage.find_by(id:) ||
+                                  WorkPackage.visible.find_by(id:) ||
                                     ::WorkPackage::InexistentWorkPackage.new(id:)
                                 end
 

lib/api/v3/work_packages/work_packages_api.rb

@@ -71,7 +71,7 @@ module API
             end
 
             after_validation do
-              @work_package = WorkPackage.find(declared_params[:id])
+              @work_package = WorkPackage.visible.find(declared_params[:id])
 
               authorize_in_work_package(:view_work_packages, work_package: @work_package) do
                 raise API::Errors::NotFound.new model: :work_package

modules/backlogs/lib/open_project/backlogs/patches/set_attributes_service_patch.rb

@@ -66,11 +66,12 @@ module OpenProject::Backlogs::Patches::SetAttributesServicePatch
     def ancestor_chain(parent_id)
       ancestors = []
       unless parent_id.nil?
-        real_parent = WorkPackage.find_by(id: parent_id)
+        real_parent = WorkPackage.visible(user).find_by(id: parent_id)
 
         # Sort immediate ancestors first
         ancestors = real_parent
                     .ancestors
+                    .visible(user)
                     .includes(project: :enabled_modules)
                     .order_by_ancestors("desc")
                     .select("work_packages.*, COALESCE(max_depth.depth, 0)")

modules/bim/app/services/bim/bcf/issues/create_service.rb

@@ -57,7 +57,7 @@ module Bim::Bcf
       end
 
       def use_work_package(links:, params:)
-        work_package = WorkPackage.find_by(id: work_package_id_from_links(links))
+        work_package = WorkPackage.visible(user).find_by(id: work_package_id_from_links(links))
         return work_package_not_found_result if work_package.nil?
 
         ::WorkPackages::UpdateService

modules/bim/app/services/bim/bcf/issues/delete_service.rb

@@ -42,7 +42,7 @@ module Bim::Bcf
       end
 
       def work_package_delete_call(params)
-        associated_wp = WorkPackage.find(model.work_package_id)
+        associated_wp = WorkPackage.visible(user).find(model.work_package_id)
         # Load the project association as AR fails do do so once the work package
         # is destroyed.
         model.project

modules/costs/app/controllers/costlog_controller.rb

@@ -99,13 +99,13 @@ class CostlogController < ApplicationController
   def find_project
     # copied from timelog_controller.rb
     if params[:id]
-      @cost_entry = CostEntry.find(params[:id])
+      @cost_entry = CostEntry.visible.find(params[:id])
       @project = @cost_entry.project
     elsif params[:work_package_id]
-      @work_package = WorkPackage.find(params[:work_package_id])
+      @work_package = WorkPackage.visible.find(params[:work_package_id])
       @project = @work_package.project
     elsif params[:project_id]
-      @project = Project.find(params[:project_id])
+      @project = Project.visible.find(params[:project_id])
     else
       render_404
       false
@@ -125,7 +125,7 @@ class CostlogController < ApplicationController
     @work_package = if @cost_entry.present? && @cost_entry.entity_type == "WorkPackage" && @cost_entry.entity_id == entity_id
                       @cost_entry.entity
                     elsif entity_type == "WorkPackage"
-                      WorkPackage.find_by(id: entity_id)
+                      WorkPackage.visible.find_by(id: entity_id)
                     end
 
     cost_type_id = cost_entry_params.delete(:cost_type_id)

modules/reporting/app/helpers/reporting_helper.rb

@@ -119,7 +119,7 @@ module ReportingHelper
     when :budget_id
       budget_link value
     when :work_package_id
-      link_to_work_package(WorkPackage.find(value.to_i))
+      link_to_work_package(WorkPackage.visible.find(value.to_i))
     when :entity_gid
       allowed_types = (TimeEntry::ALLOWED_ENTITY_TYPES | CostEntry::ALLOWED_ENTITY_TYPES).map(&:safe_constantize)
       entity = begin