From d675f09e8e5d34e08fe9cb8362aee92fcaffef78 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Oliver=20G=C3=BCnther?= Date: Tue, 24 Mar 2026 09:49:36 +0100 Subject: [PATCH] Allow selection of existing user IDs only when user is visible https://community.openproject.org/work_packages/73369 --- app/controllers/concerns/member_helper.rb | 2 +- spec/controllers/members_controller_spec.rb | 21 +++++++++++++++++++ spec/controllers/shares_controller_spec.rb | 2 +- .../invite_user_modal_spec.rb | 2 +- 4 files changed, 24 insertions(+), 3 deletions(-) diff --git a/app/controllers/concerns/member_helper.rb b/app/controllers/concerns/member_helper.rb index 7de2d62e837..fb3808124f2 100644 --- a/app/controllers/concerns/member_helper.rb +++ b/app/controllers/concerns/member_helper.rb @@ -56,7 +56,7 @@ module MemberHelper def invite_new_user(id, send_notification: true) if id.present? && EmailValidator.valid?(id) # we've got an email - invite that user invite_existing_or_new_users(email: id, send_notification:) - else + elsif Principal.visible(current_user).exists?(id: id) id end end diff --git a/spec/controllers/members_controller_spec.rb b/spec/controllers/members_controller_spec.rb index 374d82a92f9..42c8abf0550 100644 --- a/spec/controllers/members_controller_spec.rb +++ b/spec/controllers/members_controller_spec.rb @@ -250,6 +250,27 @@ RSpec.describe MembersController do expect(ActionMailer::Base.deliveries).to be_empty end end + + context "when adding by direct user ID a user who is not visible" do + let!(:hidden_user) { create(:user) } + let(:params) do + { + project_id: project.id, + member: { + role_ids: [role.id], + user_ids: [hidden_user.id] + } + } + end + + it "does not add the hidden user as a member" do + expect { post :create, params: } + .to change(Member, :count).by(0) + + hidden_user.reload + expect(hidden_user).not_to be_member_of(project) + end + end end describe "#create" do diff --git a/spec/controllers/shares_controller_spec.rb b/spec/controllers/shares_controller_spec.rb index 4a49b7fa208..6424461db3e 100644 --- a/spec/controllers/shares_controller_spec.rb +++ b/spec/controllers/shares_controller_spec.rb @@ -31,7 +31,7 @@ require "spec_helper" RSpec.describe SharesController do - shared_let(:user) { create(:user) } + shared_let(:user) { create(:user, global_permissions: %i[view_all_principals]) } shared_let(:view_user) { create(:user) } shared_let(:edit_user) { create(:user) } shared_let(:project_query) { create(:project_query, user:) } diff --git a/spec/features/users/invite_user_modal/invite_user_modal_spec.rb b/spec/features/users/invite_user_modal/invite_user_modal_spec.rb index 7459e637f22..44b87409c00 100644 --- a/spec/features/users/invite_user_modal/invite_user_modal_spec.rb +++ b/spec/features/users/invite_user_modal/invite_user_modal_spec.rb @@ -383,7 +383,7 @@ RSpec.describe "Invite user modal", :js do end context "with permissions to manage placeholders" do - let(:global_permissions) { %i[manage_placeholder_user] } + let(:global_permissions) { %i[view_all_principals manage_placeholder_user] } it_behaves_like "invites the principal to the project" do let(:added_principal) { PlaceholderUser.find_by!(name: "MY NEW PLACEHOLDER") }