From f5be8df3e10210dbe7a6cd9f243702a61ba50d86 Mon Sep 17 00:00:00 2001
From: MAEDA Go <maeda@farend.jp>
Date: Sat, 12 Jun 2021 16:41:30 +0900
Subject: [PATCH 1/2] Allow non-admin users to see group members when the group
 is visible

---
 app/controllers/groups_controller.rb      |  8 ++++++--
 app/views/groups/show.html.erb            |  7 ++++++-
 test/functional/groups_controller_test.rb | 11 +++++++++++
 3 files changed, 23 insertions(+), 3 deletions(-)

diff --git a/app/controllers/groups_controller.rb b/app/controllers/groups_controller.rb
index f6358080b..0ca636e19 100644
--- a/app/controllers/groups_controller.rb
+++ b/app/controllers/groups_controller.rb
@@ -21,7 +21,7 @@ class GroupsController < ApplicationController
   layout 'admin'
   self.main_menu = false
 
-  before_action :require_admin
+  before_action :require_admin, :except => [:show]
   before_action :find_group, :except => [:index, :new, :create]
   accept_api_auth :index, :show, :create, :update, :destroy, :add_users, :remove_user
 
@@ -50,8 +50,12 @@ class GroupsController < ApplicationController
   end
 
   def show
+    return render_404 unless @group.visible?
+
     respond_to do |format|
-      format.html
+      format.html do
+        render :layout => 'base'
+      end
       format.api
     end
   end
diff --git a/app/views/groups/show.html.erb b/app/views/groups/show.html.erb
index 4f413afe8..ad7ee2626 100644
--- a/app/views/groups/show.html.erb
+++ b/app/views/groups/show.html.erb
@@ -1,4 +1,8 @@
-<%= title [l(:label_group_plural), groups_path], @group.name %>
+<div class="contextual">
+<%= link_to(l(:button_edit), edit_group_path(@group), :class => 'icon icon-edit') if User.current.admin? %>
+</div>
+
+<h2><%= @group.name %></h2>
 
 <% if @group.custom_field_values.any? %>
   <ul>
@@ -14,3 +18,4 @@
     <li><%= user %></li>
 <% end %>
 </ul>
+<% html_title @group.name %>
diff --git a/test/functional/groups_controller_test.rb b/test/functional/groups_controller_test.rb
index 976815209..efb588198 100644
--- a/test/functional/groups_controller_test.rb
+++ b/test/functional/groups_controller_test.rb
@@ -47,6 +47,9 @@ class GroupsControllerTest < Redmine::ControllerTest
   end
 
   def test_show
+    Role.anonymous.update! :users_visibility => 'all'
+
+    @request.session[:user_id] = nil
     get(:show, :params => {:id => 10})
     assert_response :success
   end
@@ -70,6 +73,14 @@ class GroupsControllerTest < Redmine::ControllerTest
     assert_response 404
   end
 
+  def test_show_group_that_is_not_visible_should_return_404
+    Role.anonymous.update! :users_visibility => 'members_of_visible_projects'
+
+    @request.session[:user_id] = nil
+    get :show, :params => {:id => 10}
+    assert_response 404
+  end
+
   def test_new
     get :new
     assert_response :success
-- 
2.31.1