diff --git a/app/controllers/work_package_hierarchy_relations_controller.rb b/app/controllers/work_package_hierarchy_relations_controller.rb index 66cf444a2b5..cda4f8e9e4d 100644 --- a/app/controllers/work_package_hierarchy_relations_controller.rb +++ b/app/controllers/work_package_hierarchy_relations_controller.rb @@ -65,7 +65,7 @@ class WorkPackageHierarchyRelationsController < ApplicationController end def destroy - related = WorkPackage.find(params[:id]) + related = WorkPackage.visible.find(params[:id]) service_result = if related.parent_id == @work_package.id set_relation(child: related, parent: nil) @@ -101,7 +101,7 @@ class WorkPackageHierarchyRelationsController < ApplicationController def related_work_package @related_work_package ||= if params[:work_package][:id].present? - WorkPackage.find(params[:work_package][:id]) + WorkPackage.visible.find(params[:work_package][:id]) else WorkPackage.new end diff --git a/app/controllers/work_package_relations_controller.rb b/app/controllers/work_package_relations_controller.rb index 181bd932cce..50c51722093 100644 --- a/app/controllers/work_package_relations_controller.rb +++ b/app/controllers/work_package_relations_controller.rb @@ -127,11 +127,11 @@ class WorkPackageRelationsController < ApplicationController end def set_work_package - @work_package = WorkPackage.find(params[:work_package_id]) + @work_package = WorkPackage.visible.find(params[:work_package_id]) end def set_relation - @relation = @work_package.relations.find(params[:id]) + @relation = @work_package.relations.visible.find(params[:id]) end def create_relation_params diff --git a/app/controllers/work_package_relations_tab_controller.rb b/app/controllers/work_package_relations_tab_controller.rb index 1c8fda279ef..6fb17c3fbfa 100644 --- a/app/controllers/work_package_relations_tab_controller.rb +++ b/app/controllers/work_package_relations_tab_controller.rb @@ -51,7 +51,7 @@ class WorkPackageRelationsTabController < ApplicationController private def set_work_package - @work_package = WorkPackage.find(params[:work_package_id]) + @work_package = WorkPackage.visible.find(params[:work_package_id]) @project = @work_package.project # required for authorization via before_action end end diff --git a/app/controllers/work_packages/activities_tab_controller.rb b/app/controllers/work_packages/activities_tab_controller.rb index c93c1c22f38..0f642a64260 100644 --- a/app/controllers/work_packages/activities_tab_controller.rb +++ b/app/controllers/work_packages/activities_tab_controller.rb @@ -227,7 +227,7 @@ class WorkPackages::ActivitiesTabController < ApplicationController end def find_work_package - @work_package = WorkPackage.find(params[:work_package_id]) + @work_package = WorkPackage.visible.find(params[:work_package_id]) rescue ActiveRecord::RecordNotFound respond_with_error(I18n.t("label_not_found")) end diff --git a/app/models/project/pdf_export/project_initiation.rb b/app/models/project/pdf_export/project_initiation.rb index 1feb1276647..4ebe6d26175 100644 --- a/app/models/project/pdf_export/project_initiation.rb +++ b/app/models/project/pdf_export/project_initiation.rb @@ -188,12 +188,12 @@ class Project::PDFExport::ProjectInitiation < Exports::Exporter .where(id: enabled_in_wizard_ids) .group_by(&:project_custom_field_section) .map do |section, custom_fields| - { - caption: section.name, - fields: custom_fields.map do |custom_field| - { key: "cf_#{custom_field.id}", caption: custom_field.name, custom_field: } - end - } + { + caption: section.name, + fields: custom_fields.map do |custom_field| + { key: "cf_#{custom_field.id}", caption: custom_field.name, custom_field: } + end + } end end @@ -284,7 +284,7 @@ class Project::PDFExport::ProjectInitiation < Exports::Exporter def project_initiation_work_package_status return nil if project.project_creation_wizard_artifact_work_package_id.blank? - work_package = WorkPackage.find_by(id: project.project_creation_wizard_artifact_work_package_id) + work_package = WorkPackage.visible.find_by(id: project.project_creation_wizard_artifact_work_package_id) work_package&.status end diff --git a/app/models/queries/principals/filters/internal_mentionable_on_work_package_filter.rb b/app/models/queries/principals/filters/internal_mentionable_on_work_package_filter.rb index e6df3a2e57c..4ed8254cd33 100644 --- a/app/models/queries/principals/filters/internal_mentionable_on_work_package_filter.rb +++ b/app/models/queries/principals/filters/internal_mentionable_on_work_package_filter.rb @@ -82,6 +82,6 @@ class Queries::Principals::Filters::InternalMentionableOnWorkPackageFilter < end def work_package - WorkPackage.find(values.first) + WorkPackage.visible.find(values.first) end end diff --git a/app/models/queries/work_packages/filter/relatable_filter.rb b/app/models/queries/work_packages/filter/relatable_filter.rb index e5cea285c9e..988cbb5e5ce 100644 --- a/app/models/queries/work_packages/filter/relatable_filter.rb +++ b/app/models/queries/work_packages/filter/relatable_filter.rb @@ -49,7 +49,7 @@ class Queries::WorkPackages::Filter::RelatableFilter < Queries::WorkPackages::Fi end def apply_to(query_scope) - query_scope.relatable(WorkPackage.find_by(id: values.first), scope_operator) + query_scope.relatable(WorkPackage.visible.find_by(id: values.first), scope_operator) end private diff --git a/app/services/mcp_resources/work_package.rb b/app/services/mcp_resources/work_package.rb index 58fe41ca792..0537e6c3a3d 100644 --- a/app/services/mcp_resources/work_package.rb +++ b/app/services/mcp_resources/work_package.rb @@ -37,9 +37,8 @@ module McpResources default_description "Access work packages of this OpenProject instance." def read(id:) - work_package = ::WorkPackage.find_by(id:) + work_package = ::WorkPackage.visible.find_by(id:) return nil if work_package.nil? - return nil unless current_user.allowed_in_work_package?(:view_work_packages, work_package) API::V3::WorkPackages::WorkPackageRepresenter.create(work_package, current_user:, embed_links: true) end diff --git a/app/services/work_packages/update_service.rb b/app/services/work_packages/update_service.rb index 36e73d6cb07..a6fd035df11 100644 --- a/app/services/work_packages/update_service.rb +++ b/app/services/work_packages/update_service.rb @@ -142,7 +142,7 @@ class WorkPackages::UpdateService < BaseServices::Update # if parent changed, the former parent needs to be rescheduled too. if parent_just_changed?(work_package) - former_parent = WorkPackage.find_by(id: work_package.parent_id_before_last_save) + former_parent = WorkPackage.visible(user).find_by(id: work_package.parent_id_before_last_save) work_packages_to_reschedule << former_parent if former_parent end @@ -165,11 +165,11 @@ class WorkPackages::UpdateService < BaseServices::Update service_calls .group_by { |sc| sc.result.id } .map do |(_, same_work_package_calls)| - same_work_package_calls.pop.tap do |master| - same_work_package_calls.each do |sc| - master.result.attributes = sc.result.changes.transform_values(&:last) + same_work_package_calls.pop.tap do |master| + same_work_package_calls.each do |sc| + master.result.attributes = sc.result.changes.transform_values(&:last) + end end - end end end end diff --git a/lib/api/v3/work_packages/work_package_representer.rb b/lib/api/v3/work_packages/work_package_representer.rb index c72086f1ca2..4a5f03e5307 100644 --- a/lib/api/v3/work_packages/work_package_representer.rb +++ b/lib/api/v3/work_packages/work_package_representer.rb @@ -596,7 +596,7 @@ module API expected_version: "3", expected_namespace: "work_packages" - WorkPackage.find_by(id:) || + WorkPackage.visible.find_by(id:) || ::WorkPackage::InexistentWorkPackage.new(id:) end diff --git a/lib/api/v3/work_packages/work_packages_api.rb b/lib/api/v3/work_packages/work_packages_api.rb index 67954b3c349..bfab66edf11 100644 --- a/lib/api/v3/work_packages/work_packages_api.rb +++ b/lib/api/v3/work_packages/work_packages_api.rb @@ -71,7 +71,7 @@ module API end after_validation do - @work_package = WorkPackage.find(declared_params[:id]) + @work_package = WorkPackage.visible.find(declared_params[:id]) authorize_in_work_package(:view_work_packages, work_package: @work_package) do raise API::Errors::NotFound.new model: :work_package diff --git a/modules/backlogs/lib/open_project/backlogs/patches/set_attributes_service_patch.rb b/modules/backlogs/lib/open_project/backlogs/patches/set_attributes_service_patch.rb index 8d52239030a..4b728019f71 100644 --- a/modules/backlogs/lib/open_project/backlogs/patches/set_attributes_service_patch.rb +++ b/modules/backlogs/lib/open_project/backlogs/patches/set_attributes_service_patch.rb @@ -66,11 +66,12 @@ module OpenProject::Backlogs::Patches::SetAttributesServicePatch def ancestor_chain(parent_id) ancestors = [] unless parent_id.nil? - real_parent = WorkPackage.find_by(id: parent_id) + real_parent = WorkPackage.visible(user).find_by(id: parent_id) # Sort immediate ancestors first ancestors = real_parent .ancestors + .visible(user) .includes(project: :enabled_modules) .order_by_ancestors("desc") .select("work_packages.*, COALESCE(max_depth.depth, 0)") diff --git a/modules/bim/app/services/bim/bcf/issues/create_service.rb b/modules/bim/app/services/bim/bcf/issues/create_service.rb index 38302bda10f..59cfcf61396 100644 --- a/modules/bim/app/services/bim/bcf/issues/create_service.rb +++ b/modules/bim/app/services/bim/bcf/issues/create_service.rb @@ -57,7 +57,7 @@ module Bim::Bcf end def use_work_package(links:, params:) - work_package = WorkPackage.find_by(id: work_package_id_from_links(links)) + work_package = WorkPackage.visible(user).find_by(id: work_package_id_from_links(links)) return work_package_not_found_result if work_package.nil? ::WorkPackages::UpdateService diff --git a/modules/bim/app/services/bim/bcf/issues/delete_service.rb b/modules/bim/app/services/bim/bcf/issues/delete_service.rb index a52c41ac895..63f6b92169a 100644 --- a/modules/bim/app/services/bim/bcf/issues/delete_service.rb +++ b/modules/bim/app/services/bim/bcf/issues/delete_service.rb @@ -42,7 +42,7 @@ module Bim::Bcf end def work_package_delete_call(params) - associated_wp = WorkPackage.find(model.work_package_id) + associated_wp = WorkPackage.visible(user).find(model.work_package_id) # Load the project association as AR fails do do so once the work package # is destroyed. model.project diff --git a/modules/costs/app/controllers/costlog_controller.rb b/modules/costs/app/controllers/costlog_controller.rb index 23cf25074cc..79904e0f8e4 100644 --- a/modules/costs/app/controllers/costlog_controller.rb +++ b/modules/costs/app/controllers/costlog_controller.rb @@ -99,13 +99,13 @@ class CostlogController < ApplicationController def find_project # copied from timelog_controller.rb if params[:id] - @cost_entry = CostEntry.find(params[:id]) + @cost_entry = CostEntry.visible.find(params[:id]) @project = @cost_entry.project elsif params[:work_package_id] - @work_package = WorkPackage.find(params[:work_package_id]) + @work_package = WorkPackage.visible.find(params[:work_package_id]) @project = @work_package.project elsif params[:project_id] - @project = Project.find(params[:project_id]) + @project = Project.visible.find(params[:project_id]) else render_404 false @@ -125,7 +125,7 @@ class CostlogController < ApplicationController @work_package = if @cost_entry.present? && @cost_entry.entity_type == "WorkPackage" && @cost_entry.entity_id == entity_id @cost_entry.entity elsif entity_type == "WorkPackage" - WorkPackage.find_by(id: entity_id) + WorkPackage.visible.find_by(id: entity_id) end cost_type_id = cost_entry_params.delete(:cost_type_id) diff --git a/modules/reporting/app/helpers/reporting_helper.rb b/modules/reporting/app/helpers/reporting_helper.rb index cac2ca97418..01d4ad65965 100644 --- a/modules/reporting/app/helpers/reporting_helper.rb +++ b/modules/reporting/app/helpers/reporting_helper.rb @@ -119,7 +119,7 @@ module ReportingHelper when :budget_id budget_link value when :work_package_id - link_to_work_package(WorkPackage.find(value.to_i)) + link_to_work_package(WorkPackage.visible.find(value.to_i)) when :entity_gid allowed_types = (TimeEntry::ALLOWED_ENTITY_TYPES | CostEntry::ALLOWED_ENTITY_TYPES).map(&:safe_constantize) entity = begin