Allow selection of existing user IDs only when user is visible

https://community.openproject.org/work_packages/73369

app/controllers/concerns/member_helper.rb

@@ -56,7 +56,7 @@ module MemberHelper
   def invite_new_user(id, send_notification: true)
     if id.present? && EmailValidator.valid?(id) # we've got an email - invite that user
       invite_existing_or_new_users(email: id, send_notification:)
-    else
+    elsif Principal.visible(current_user).exists?(id: id)
       id
     end
   end

spec/controllers/members_controller_spec.rb

@@ -250,6 +250,27 @@ RSpec.describe MembersController do
         expect(ActionMailer::Base.deliveries).to be_empty
       end
     end
+
+    context "when adding by direct user ID a user who is not visible" do
+      let!(:hidden_user) { create(:user) }
+      let(:params) do
+        {
+          project_id: project.id,
+          member: {
+            role_ids: [role.id],
+            user_ids: [hidden_user.id]
+          }
+        }
+      end
+
+      it "does not add the hidden user as a member" do
+        expect { post :create, params: }
+          .to change(Member, :count).by(0)
+
+        hidden_user.reload
+        expect(hidden_user).not_to be_member_of(project)
+      end
+    end
   end
 
   describe "#create" do

spec/controllers/shares_controller_spec.rb

@@ -31,7 +31,7 @@
 require "spec_helper"
 
 RSpec.describe SharesController do
-  shared_let(:user) { create(:user) }
+  shared_let(:user) { create(:user, global_permissions: %i[view_all_principals]) }
   shared_let(:view_user) { create(:user) }
   shared_let(:edit_user) { create(:user) }
   shared_let(:project_query) { create(:project_query, user:) }

spec/features/users/invite_user_modal/invite_user_modal_spec.rb

@@ -383,7 +383,7 @@ RSpec.describe "Invite user modal", :js do
           end
 
           context "with permissions to manage placeholders" do
-            let(:global_permissions) { %i[manage_placeholder_user] }
+            let(:global_permissions) { %i[view_all_principals manage_placeholder_user] }
 
             it_behaves_like "invites the principal to the project" do
               let(:added_principal) { PlaceholderUser.find_by!(name: "MY NEW PLACEHOLDER") }