[v10.0/forgejo] fix: consider public issues for project boards (#7144)

**Backport:** https://codeberg.org/forgejo/forgejo/pulls/7143

- The security patch of forgejo/forgejo#6843 fixed the issue where project boards loaded all issues without considering if the doer actually had permission to view that issue. Within that patch the call to `Issues` was modified to include this permission checking.
- The query being generated was not entirely correct. Issues in public repositories weren't considered correctly (partly the fault of not setting `AllPublic` unconditionally) in the cause an authenticated user loaded the project.
- This is now fixed by setting `AllPublic` unconditionally and subsequently fixing the `Issue` function to ensure that the combination of setting `AllPublic` and `User` generates the correct query, by combining the permission check and issues in public repositories as one `AND` query.
- Added unit testing.
- Added integration testing.
- Resolves Codeberg/Community#1809
- Regression of https://codeberg.org/forgejo/forgejo/pulls/6843

Co-authored-by: Gusted <postmaster@gusted.xyz>
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/7144
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Co-authored-by: forgejo-backport-action <forgejo-backport-action@noreply.codeberg.org>
Co-committed-by: forgejo-backport-action <forgejo-backport-action@noreply.codeberg.org>

tests/integration/private_project_test.go

@@ -24,7 +24,7 @@ func TestPrivateIssueProject(t *testing.T) {
 	user2 := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
 	sess := loginUser(t, user2.Name)
 
-	test := func(t *testing.T, sess *TestSession, username string, projectID int64, hasAccess bool) {
+	test := func(t *testing.T, sess *TestSession, username string, projectID int64, hasAccess bool, publicIssueHref ...string) {
 		t.Helper()
 		defer tests.PrintCurrentTest(t, 1)()
 
@@ -35,9 +35,9 @@ func TestPrivateIssueProject(t *testing.T) {
 		htmlDoc := NewHTMLParser(t, resp.Body)
 		openCloseStats := htmlDoc.Find(".milestone-toolbar .group").First().Text()
 		if hasAccess {
-			assert.Contains(t, openCloseStats, "1\u00a0Open")
+			assert.Contains(t, openCloseStats, "2\u00a0Open")
 		} else {
-			assert.Contains(t, openCloseStats, "0\u00a0Open")
+			assert.Contains(t, openCloseStats, "1\u00a0Open")
 		}
 		assert.Contains(t, openCloseStats, "0\u00a0Closed")
 
@@ -46,14 +46,21 @@ func TestPrivateIssueProject(t *testing.T) {
 		resp = sess.MakeRequest(t, req, http.StatusOK)
 
 		htmlDoc = NewHTMLParser(t, resp.Body)
-		htmlDoc.AssertElement(t, ".project-column .issue-card", hasAccess)
+		issueCardsLen := htmlDoc.Find(".project-column .issue-card").Length()
+		if hasAccess {
+			assert.EqualValues(t, 2, issueCardsLen)
+		} else {
+			assert.EqualValues(t, 1, issueCardsLen)
+			// Ensure that the public issue is shown.
+			assert.EqualValues(t, publicIssueHref[0], htmlDoc.Find(".project-column .issue-card .issue-card-title").AttrOr("href", ""))
+		}
 
 		// And that the issue count is correct.
 		issueCount := strings.TrimSpace(htmlDoc.Find(".project-column-issue-count").Text())
 		if hasAccess {
-			assert.EqualValues(t, "1", issueCount)
+			assert.EqualValues(t, "2", issueCount)
 		} else {
-			assert.EqualValues(t, "0", issueCount)
+			assert.EqualValues(t, "1", issueCount)
 		}
 	}
 
@@ -66,7 +73,7 @@ func TestPrivateIssueProject(t *testing.T) {
 		})
 
 		t.Run("Anonymous user", func(t *testing.T) {
-			test(t, emptyTestSession(t), org.Name, orgProject.ID, false)
+			test(t, emptyTestSession(t), org.Name, orgProject.ID, false, "/org3/repo21/issues/1")
 		})
 	})
 
@@ -78,7 +85,7 @@ func TestPrivateIssueProject(t *testing.T) {
 		})
 
 		t.Run("Anonymous user", func(t *testing.T) {
-			test(t, emptyTestSession(t), user2.Name, userProject.ID, false)
+			test(t, emptyTestSession(t), user2.Name, userProject.ID, false, "/user2/repo1/issues/1")
 		})
 	})
 }