Redmine

I can reproduce it on 3.2-stable (the Affected version is set to 3.1.3 since this is the latest version available in the custom field). The actual issue was found on a Redmine 3.2.1.

#20206 fixes a related issue for the default non-member role. Now with a custom non-member role, the problem is back. It is however important to strictly reproduce the setup described by Alexander: you need the default non-member role to have the Issue visibility set to all. You also need a different role with restricted issue visibility assigned as non-member role for the specific project.

The result is that Project.allowed_to_condition first considers the default non-member role and adds statements since the default role has the permission to view all issues. However, the custom role has not. Now the bug is that Project.allowed_to_condition does not consider custom default-roles in this first step. They are only considered later in User#projects_by_role.

I think a quick patch could look like this (mostly untested):

diff --git a/app/models/project.rb b/app/models/project.rb
index 197f45e..9f177ee 100644
--- a/app/models/project.rb
+++ b/app/models/project.rb
@@ -197,7 +197,7 @@ class Project < ActiveRecord::Base
         if role.allowed_to?(permission)
           s = "#{Project.table_name}.is_public = #{connection.quoted_true}" 
           if user.id
-            s = "(#{s} AND #{Project.table_name}.id NOT IN (SELECT project_id FROM #{Member.table_name} WHERE user_id = #{user.id}))" 
+            s = "(#{s} AND #{Project.table_name}.id NOT IN (SELECT project_id FROM #{Member.table_name} LEFT OUTER JOIN #{Principal.table_name} ON #{Member.table_name}.user_id = #{Principal.table_name}.id WHERE #{Member.table_name}.user_id = #{user.id} OR #{Principal.table_name}.type IN ('GroupAnonymous', 'GroupNonMember')))" 
           end
           statement_by_role[role] = s
         end