Redmine

I've marked version 3.0.0 as the affected one because in Debian the package is versioned as 3.0~20140825, but the code suggests that the current Redmine might still be affected.

As stated in the subject, when there is a following situation:
User 9 gets its role (6) directly and from the group's (12) role. For role 6 there is a "required" flag for some field.

# select member_roles.id, role_id, member_id,
  user_id, inherited_from, type
  from member_roles
  join members on member_roles.member_id = members.id
  join users on user_id = users.id
  where user_id in (9, 12);
 id | role_id | member_id | user_id | inherited_from | type  
----+---------+-----------+---------+----------------+-------
 33 |       6 |        13 |      12 |                | Group
 38 |       6 |        15 |       9 |             33 | User
 29 |       6 |        15 |       9 |                | User
(3 rows)

Field permissions (like "required") are ignored which leads to a workflow violation.

The reason is that in models/issue.rb inside workflow_rule_by_attribute() there is a line next if rules.size < roles.size. When a role for the user comes from both directly the user and the group, the same role is returned twice by roles_for_project() and the condition becomes true. In consequence the returned result of workflow_rule_by_attribute() is empty.

I propose changing one line in models/user.rb in roles_for_project(), i.e. from membership.roles to membership.roles.uniq. A short patch attached.

Note to future self: next if rules.size < roles.size means "don't apply permissions if for the field for any of the roles there is none set (inherited lack of restrictions)".